Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesEarnWeb3SquareMore
Trade
Spot
Buy and sell crypto with ease
Margin
Amplify your capital and maximize fund efficiency
Onchain
Going Onchain, without going Onchain!
Convert
Zero fees, no slippage
Explore
Launchhub
Gain the edge early and start winning
Copy
Copy elite trader with one click
Bots
Simple, fast, and reliable AI trading bot
Trade
USDT-M Futures
Futures settled in USDT
USDC-M Futures
Futures settled in USDC
Coin-M Futures
Futures settled in cryptocurrencies
Explore
Futures guide
A beginner-to-advanced journey in futures trading
Futures promotions
Generous rewards await
Overview
A variety of products to grow your assets
Simple Earn
Deposit and withdraw anytime to earn flexible returns with zero risk
On-chain Earn
Earn profits daily without risking principal
Structured Earn
Robust financial innovation to navigate market swings
VIP and Wealth Management
Premium services for smart wealth management
Loans
Flexible borrowing with high fund security
Bug bounty platform OpenBounty publicly releases vulnerability reports, researchers call it extremely irresponsible

Bug bounty platform OpenBounty publicly releases vulnerability reports, researchers call it extremely irresponsible

Odaily2024/07/03 07:04
By:Odaily
Odaily News Bug bounty platform OpenBounty has come under fire from fellow security researchers after users discovered that the bug reports they submitted were posted on a public blockchain. When OpenBounty receives reports, it automatically posts the contents of those reports as transactions on Shentu, a blockchain run by OpenBountys parent company, the Shentu Foundation. Details disclosed include the threat level of the bug, the location of potentially vulnerable code, and comments from the reports author. Independent security researcher Pascal Caversaccio said it was extremely irresponsible to publicly disclose potential vulnerabilities, and any hacker could sift through the reports and exploit them. OpenBounty lists bug bounty programs offered by more than 30 crypto projects, with a total deposit value of more than $11 billion. Security researchers have also complained that OpenBounty lists and accepts bug bounty reports from other security firms and crypto projects without their permission. Among the bounties listed on the OpenBounty website are bounties from decentralized exchange Uniswap and lending protocol Compound. Michael Lewellen, head of solutions architecture at crypto security company OpenZeppelin, said: As a security advisor to Compound DAO at OpenZeppelin, I can authoritatively say that they are not authorized to manage bug bounties on behalf of the protocol. Dmytro Matviiv, CEO of bug bounty platform HackenProof, said: Listing bounties without permission may have legal consequences. The bug bounty market operates under a well-thought-out legal process. Under this system, permission must be obtained from the bounty publisher before the bounty is placed on the bug bounty platform. A spokesperson for CertiK confirmed that Shentu, the entity that controls the OpenBounty platform, was once part of CertiK, however, Shentu has been operating autonomously as a separate entity since 2020. However, four years after the split, code on the OpenBounty platform still links to domain names with CertiK in the name. However, a spokesperson for CertiK said that these domain names are managed independently by Shentu. (DL News)
0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!