According to ChainCatcher, DL News reported that the bug bounty platform OpenBounty has been criticized by fellow security researchers because some users found that the vulnerability reports they submitted were posted on a public blockchain. When OpenBounty receives reports, it automatically posts the contents of these reports as transactions on Shentu, a blockchain run by OpenBounty's parent company, Shentu Foundation. The details disclosed include the threat level of the vulnerability, the location of the potentially vulnerable code, and comments from the report author. OpenBounty lists bug bounties offered by more than 30 different crypto projects, with a total deposit value of more than $11 billion.

Independent security researcher Pascal Caversaccio said it was extremely irresponsible to publicly disclose potential vulnerabilities, saying any hacker could sift through the reports and exploit them. Security researchers also complained that OpenBounty lists and accepts bug bounty reports from other security firms and crypto projects that they did not authorize. Among the bounties listed on the OpenBounty website are those from top decentralized exchange Uniswap and lending protocol Compound.

“As a security advisor to Compound DAO at OpenZeppelin, I can say with authority that they are not authorized to administer bug bounties on behalf of the protocol,” said Michael Lewellen, head of solutions architecture at crypto security firm OpenZeppelin.

“Listing a bounty without permission can have legal consequences,” said Dmytro Matviiv, CEO of bug bounty platform HackenProof. “The bug bounty marketplace operates under a well-thought-out legal process where permission must be obtained from the bounty poster before the bounty is placed on a bug bounty platform.”

A spokesperson for CertiK confirmed that Shentu, the entity that controls the OpenBounty platform, was once part of CertiK, however, Shentu has been operating autonomously as a separate entity since 2020. However, four years after the split, code on the OpenBounty platform still links to domains with CertiK in their names. However, a spokesperson for CertiK said that these domains are managed independently by Shentu.