Bug bounty platform OpenBounty publicly releases vulnerability reports, researchers call it extremely irresponsible

Odaily News Bug bounty platform OpenBounty has come under fire from fellow security researchers after users discovered that the bug reports they submitted were posted on a public blockchain. When OpenBounty receives reports, it automatically posts the contents of those reports as transactions on Shentu, a blockchain run by OpenBountys parent company, the Shentu Foundation. Details disclosed include the threat level of the bug, the location of potentially vulnerable code, and comments from the reports author. Independent security researcher Pascal Caversaccio said it was extremely irresponsible to publicly disclose potential vulnerabilities, and any hacker could sift through the reports and exploit them. OpenBounty lists bug bounty programs offered by more than 30 crypto projects, with a total deposit value of more than $11 billion. Security researchers have also complained that OpenBounty lists and accepts bug bounty reports from other security firms and crypto projects without their permission. Among the bounties listed on the OpenBounty website are bounties from decentralized exchange Uniswap and lending protocol Compound. Michael Lewellen, head of solutions architecture at crypto security company OpenZeppelin, said: As a security advisor to Compound DAO at OpenZeppelin, I can authoritatively say that they are not authorized to manage bug bounties on behalf of the protocol. Dmytro Matviiv, CEO of bug bounty platform HackenProof, said: Listing bounties without permission may have legal consequences. The bug bounty market operates under a well-thought-out legal process. Under this system, permission must be obtained from the bounty publisher before the bounty is placed on the bug bounty platform. A spokesperson for CertiK confirmed that Shentu, the entity that controls the OpenBounty platform, was once part of CertiK, however, Shentu has been operating autonomously as a separate entity since 2020. However, four years after the split, code on the OpenBounty platform still links to domain names with CertiK in the name. However, a spokesperson for CertiK said that these domain names are managed independently by Shentu. (DL News)