O³SEC

12 posts

O³SEC banner
O³SEC

O³SEC

@ooosec_com

Hunt Bugs. Get Paid Fast.

Katılım Ocak 2026
0 Takip Edilen34 Takipçiler
O³SEC
O³SEC@ooosec_com·
@kauenet @MeteoraAG thanks for the input, let us cook and get back to you with update.
English
2
0
2
12
kaue
kaue@kauenet·
duplicate tags should be followed by an UID + sub_timestamp ref to whichever submission came first once results are public, submittors can check them for themselves and provably see bounty creator wasn't lying to them if bounty creator's security team was investigating it internally, too bad, they should have also catalogued it in o3sec, that's a violation for lack of transparency/coordination
English
1
0
2
29
kaue
kaue@kauenet·
Felipão raised this flag a couple weeks ago and I quickly & comprehensively verified - @MeteoraAG has vulnerable Mainnet code, even though no pools are currently hackable. I believe having users potentially exposed with vulnerable code on production makes this at the very least a HIGH severity. The bigger issue I see is platforms like @ooosec_com allowing such important concerns be flagged as DUPLICATE with no proof or transparency. ANY bounty creator can flag ANY submission as duplicate with no further proof, then fix the findings and leave security researchers with nothing. I'm not saying Meteora is doing so - I fully believe them that there was another bounty submission among these lines and it's a valid flag, the only thing I'm raising here is that more transparency is always welcome! And I trust @MeteoraAG community will compensate @blchead proportionally to the care and attention he has put in their protocol to protect users 😍
blchead | Felipe@blchead

I recently submitted a CVSS 7.7 (High) authorization vulnerability affecting @MeteoraAG Before sharing fully transparent (BUT removing critical info) I spoke with team and as I don't agree with that, I want to know CT opinion. The issue allows a configured shareholder to divert one side of dual-token fee claims, resulting in DIRECT THEFT of protocol/partner fee revenue. - A shareholder with even a 1-unit share can steal 100% of one token side. - The attack is repeatable on every fee accrual. - The theft is silent (the diverted fees never appear in the vault or events). It undermines the fundamental guarantee that fees are distributed according to shareholder allocations. The report was classified as DUPLICATE. After I followed up with additional evidence, including: - an end-to-end PoC reproduced on a local fork, transaction hashes, - proof that the issue remained exploitable on deployed binaries, - blast-radius analysis covering thousands of affected vaults, Meteora responded that: - the issue is still exploitable on the deployed DFS integration; - the duplicate status is only about bounty eligibility, not the validity of the finding; - that my PoC and exposure analysis are useful for prioritization. This raises a question I'd like to discuss with the bug bounty community. If the issue was already known, why does it remain exploitable on production? And more broadly: How is a researcher supposed to know whether a live vulnerability is already known internally? From the outside, there is no distinction between: - a brand-new vulnerability, - one that has already been privately reported, - one that is internally tracked, - one awaiting a future fix. Every one of those requires the same audit effort, reverse engineering, code review, exploit development, and responsible disclosure. I'm not questioning the duplicate policy itself bc most bug bounty programs have one. I'm questioning the lack of transparency around known-but-unpatched vulnerabilities. Should protocols provide more visibility when a CVSS 7.7 (High) issue capable of silently diverting protocol fees remains live? Or is it simply accepted that researchers may spend days producing original analysis and PoCs for vulnerabilities that have zero possibility of a reward because that information is impossible to know beforehand? I'd be interested in hearing how both protocol security teams and other researchers think this should be handled.

English
3
2
17
931
O³SEC
O³SEC@ooosec_com·
3\ Bad-faith hunters cost triagers real time. Now they cost themselves access.
English
0
0
0
79
O³SEC
O³SEC@ooosec_com·
2\ Fair..Shipped it. Program admins/Owners can now ban a researcher from their program! Sticks to KYC identity so email rotation doesn't help
English
1
0
0
124
O³SEC
O³SEC@ooosec_com·
1\ One of the program member DM'd us this week Asking -- Any way to ban a researcher? One's been harassing us and burying our queue with AI-generated reports.
English
1
0
0
135
O³SEC
O³SEC@ooosec_com·
Same score everywhere now. Profile, settings, every program's Hall of Fame. If you hunt on OOOSec: be picky. Rejected reports hurt your rank now. Skip the borderline ones. ooosec.com/leaderboard
English
0
0
0
56
O³SEC
O³SEC@ooosec_com·
What changed on the live page: - A hunter with 6 accepted reports took #1. Old #1 had higher rep but only 2 reports. - A hunter with 50% accuracy on 12 reports dropped 6 places. - Three 100%-accuracy researchers moved up.
English
1
0
0
62
O³SEC
O³SEC@ooosec_com·
We were ranking the leaderboard wrong. Here's what we changed. Old rank: raw reputation. Most accepted reports won. Problem: someone with 50% accuracy on 12 reports sat at #4 while three 100%-accuracy researchers with less rep sat below them. Volume was beating signal.
English
1
0
0
89
O³SEC
O³SEC@ooosec_com·
0x01 Hi !
0
0
2
181