Is CertiK running a BS bug bounty program?
CertiK, a cryptocurrency security auditing firm that was recently embroiled in a dispute with Kraken after it hacked the exchange, has now been accused of running a ‘bug bounty’ program that was collecting vulnerabilities for various platforms rather than having security researchers submit those vulnerabilities directly to businesses.
The accusations center around ‘OpenBounty,’ operated by Shentu Chain. Shentu Chain used to be known as ‘CertiK Chain,’ which was operated by the CertiK Foundation. Archived versions of the CertiK Foundation website make it clear that it was founded by Fonghui Gu and Zhong Shao, both of whom are still listed as co-founders of CertiK.
Besides these obvious connections between the entities, others have highlighted that submitting bug bounties sends requests to URLs with CertiK in the name.
Read more: CertiK returns funds on its own terms after hacking Kraken for $3M
In many cases, OpenBounty seems to be effectively re-posting bug bounties from other platforms like ImmuneFi, with the page for Arbitrum’s bug bounty explicitly stating that you should refer to ImmuneFi’s website for more information.
An ImmuneFi executive took to X (formerly Twitter) to emphasize that ImmuneFi “does not have a partnership nor affiliation with Open Bounty/Shentu, and we would always, always, always suggest submitting via the ImmuneFi programs.”
CertiK’s recent disputes with Kraken have further heightened fears around submitting crucial vulnerabilities to CertiK, especially if the projects themselves are unaware that these vulnerabilities are being solicited via OpenBounty.
Other projects have grown frustrated with CertiK’s ‘Skynet’ project, accusing it of rating projects poorly if they don’t receive audits from CertiK.
Protos reached out to CertiK and Shentu Chain to clarify the relationship and why some of these bug bounty posts are on the platform. At press, neither has responded.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.