Cybersecurity experts have criticized the decentralized platform for searching for bugs and vulnerabilities OpenBounty. Analysts discovered that a platform associated with the CertiK company makes publicly available data about errors identified in projects.
Independent expert Pascal Caversaccio was the first to draw attention to OpenBounty’s work. He published a post sharply criticizing the platform, saying that developers were “leaking” confidential data online and posing a serious threat to the security of projects.
The analyst noted that OpenBounty publishes information about various vulnerabilities through transactions on the Shentu blockchain. Anyone can obtain data on the level of the identified threat, the location of the problematic code, and read the comments of the report’s author.
“Public leaking of potential bugs is insanely irresponsible. Any attacker can view the reports and use them for a hacker attack,” Caversaccio said.
Experts say such information is critical for developers. If vulnerabilities are discovered, the platform should contact the project and discuss options for cooperation to fix the problem, they say.
Representatives of the crypto community also pointed out another feature of OpenBounty. The company, without permission, publishes information about projects that have received rewards for identified bugs and errors. For example, the OpenBounty website has bounty reports related to the Uniswap exchange and the Compound protocol.
“As OpenZeppelin's security advisor for Compound DAO, I can say with confidence that they are not authorized to provide this data on behalf of the protocol,” said Michael Lewellen, head of solution architecture at OpenZeppelin.
Representatives of the HackenProof platform noted that the publication of such information may have legal consequences for OpenBounty. To do this, they must have permission from the companies that affect their activities, experts said.
Against the backdrop of news about OpenBounty’s activities, a portion of criticism was addressed to the company CertiK. Pascal Caversaccio, in particular, called it “a bunch of criminals” and called for a public boycott of the company.
CertiK representatives confirmed that the organization that controls the platform was previously part of their business. However, since 2020, Shentu and OpenBounty have been operating independently, the company emphasized. At the same time, analysts point to the fact that the platform still links to CertiK domains.
Let us recall that earlier CertiK experts discovered a vulnerability in the Kraken cryptocurrency platform and withdrew $3 million worth of assets from it. The exchange accused the company of theft and blackmail.
