According to WuSay, independent security researcher Pascal Caversaccio discovered that after receiving a report, the bug bounty platform OpenBounty automatically publishes the content in the form of a transaction on the blockchain Shentu operated by its parent organization Shentu Foundation. The public information includes the threat level of the vulnerability, the location of the potential vulnerability code, and the comments of the report author, which may be screened and used by hackers.
OpenBounty also lists and accepts bug bounty reports from other security companies and crypto projects without permission. A spokesperson for CertiK confirmed to DL News that Shentu, the entity that controls the OpenBounty platform, was once part of CertiK, and although Shentu has operated autonomously as an independent entity since 2020, the code in the OpenBounty platform still links to domains with the CertiK name.