PANews reported on July 3 that according to DL News, the bug bounty platform OpenBounty has been criticized by fellow security researchers because some users discovered that the vulnerability reports they submitted were posted on a public blockchain. When OpenBounty receives reports, it automatically posts the contents of those reports as transactions on Shentu, a blockchain run by OpenBounty's parent company, the Shentu Foundation. The details disclosed include the threat level of the vulnerability, the location of the potentially vulnerable code, and comments from the report author. OpenBounty lists bug bounties offered by more than 30 different crypto projects, with a total deposit value of more than $11 billion.

Independent security researcher Pascal Caversaccio said it was extremely irresponsible to publicly leak potential vulnerabilities, and any hacker could sift through the reports and exploit them. Security researchers also complained that OpenBounty lists and accepts bug bounty reports from other security companies and crypto projects that they did not authorize. Among the bounties listed on the OpenBounty website are bounties from top decentralized exchange Uniswap and lending protocol Compound. "As a security advisor to Compound DAO at OpenZeppelin, I can authoritatively say that they are not authorized to manage bug bounties on behalf of the protocol," said Michael Lewellen, head of solutions architecture at crypto security company OpenZeppelin. "Listing bounties without permission can have legal consequences," said Dmytro Matviiv, CEO of bug bounty platform HackenProof. "The bug bounty market operates under a well-thought-out legal process. Under this system, permission must be obtained from the bounty issuer before the bounty is placed on the bug bounty platform."

A spokesperson for CertiK confirmed that Shentu, the entity that controls the OpenBounty platform, was once part of CertiK, however, Shentu has been operating autonomously as a separate entity since 2020. However, four years after the split, code on the OpenBounty platform still links to domains with CertiK in the name. However, a spokesperson for CertiK said that these domains are managed independently by Shentu.