Sep 27, 2022 Frank Stewskid
Two critical issues were reported to OpenSea's bug bounty program in a week
OpenSea has fixed two critical issues, that would have affected the security of the marketplace in the span of 8 days. GitHub repositories were last updated about seven hours ago, around the time an independent security researcher and bug bounty hunter Corben Leo, known by his pseudonym "hacker_" on Twitter, found a critical vulnerability in the NFT marketplace’s code.
I'm uncomfortable tweeting stuff like this out, but...
— Corben Leo (@hacker_) September 26, 2022
I found a critical vulnerability in @opensea this weekend and reported it through @Hacker0x01.
They fixed the issue within 3 hours of reporting and I just got this notification👏🫢 pic.twitter.com/od6EFA5KSb
According to the researcher, the issue was fixed within 3 hours of reporting it, and per the company's bug bounty program reward policy, it paid him $100,000. Furthermore, OpenSea had the Samaritan retest the bug, costing him gas fees, which they also covered in addition to the bounty payment.
This was the second critical bug reported publicly, following an issue that was found by Twitter user "nix.eth" and shared on September 20, which took 12 hours for the team behind the popular marketplace to patch. OpenSea paid the crypto analyst the same amount of funds - $100,000.
Impressed by @opensea's commitment to security. 👏
— nix.eth (@nix_eth) September 20, 2022
I discovered a vulnerability on https://t.co/YQXXfgZBG4 and reported it through @Hacker0x01. In less than 12 hours they had triaged, reproduced, patched, and awarded me a sizable bounty! pic.twitter.com/Xgv2VGfrW5