Odaily Planet Daily News Bug bounty platform OpenBounty has been criticized by fellow security researchers because some users found that the vulnerability reports they submitted were posted on a public chain. When OpenBounty receives reports, it automatically publishes the contents of these reports as transactions on Shentu, a blockchain run by OpenBounty's parent company Shentu Foundation. The details disclosed include the threat level of the vulnerability, the location of the potentially vulnerable code, and comments from the report author. Independent security researcher Pascal Caversaccio said that publicly leaking potential vulnerabilities is extremely irresponsible and any hacker can screen these reports and exploit them. OpenBounty lists bug bounty programs offered by more than 30 crypto projects, with a total deposit value of more than $11 billion. Security researchers also complained that OpenBounty lists and accepts bug bounty reports provided by other security companies and crypto projects without their permission. Among the bounties listed on the OpenBounty website are bounties from decentralized exchange Uniswap and lending protocol Compound. Michael Lewellen, head of solutions architecture at crypto security company OpenZeppelin, said: "As a security advisor to Compound DAO at OpenZeppelin, I can authoritatively say that they are not authorized to manage bug bounties on behalf of the protocol." Dmytro Matviiv, CEO of bug bounty platform HackenProof, said: "Listing bounties without permission may have legal consequences. The bug bounty market operates under a well-thought-out legal process. Under this system, permission must be obtained from the bounty publisher before the bounty is placed on the bug bounty platform." A spokesperson for CertiK confirmed that Shentu, the entity that controls the OpenBounty platform, was once part of CertiK, however, Shentu has been operating autonomously as a separate entity since 2020. However, four years after the split, code on the OpenBounty platform still links to domain names with CertiK in the name. However, a spokesperson for CertiK said that these domain names are managed independently by Shentu. (DL News)