Security Firms Clash Over CVE Credit Claims
▼ Summary
– FuzzingLabs accuses Gecko Security of copying its vulnerability disclosures, including proof-of-concepts, and backdating blog posts to claim credit.
– The disputed vulnerabilities involve CVE-2025-51471 for Ollama and CVE-2025-48889 for Gradio, with FuzzingLabs providing evidence of intentional markers in copied exploits.
– Gecko Security denies intentional plagiarism, attributing the issue to workflow differences and unawareness of prior reports, and has credited FuzzingLabs for the two CVEs.
– FuzzingLabs claims Gecko’s actions extend beyond their case, alleging at least seven other vulnerabilities on Gecko’s site were stolen from other researchers.
– The incident underscores broader challenges in vulnerability disclosure coordination and credit attribution within the cybersecurity community.
A public dispute has erupted in the cybersecurity community, with research firm FuzzingLabs accusing startup Gecko Security of appropriating its vulnerability discoveries and improperly claiming credit for multiple CVE identifiers. The conflict centers on allegations that Gecko replicated proof-of-concept exploits and manipulated publication dates to appear as the original discoverer of security flaws.
FuzzingLabs maintains that Gecko copied their work on two specific vulnerabilities: an authentication token theft issue in Ollama servers (CVE-2025-51471) and an arbitrary file copy/denial-of-service vulnerability in Gradio (CVE-2025-48889). According to FuzzingLabs, Gecko not only submitted these vulnerabilities for CVE assignment after FuzzingLabs’ original disclosures but also backdated blog posts to create the appearance of prior discovery.
The cybersecurity company claims to possess compelling evidence supporting their allegations. “They copied our PoCs, claimed CVE IDs, and even back-dated their blog posts,” stated FuzzingLabs in social media posts. The company further revealed they had embedded “unique fingerprints we intentionally inserted to identify our work” within their proof-of-concept code, which allegedly appeared in Gecko’s submissions.
Gecko Security has vigorously denied any intentional misconduct, characterizing the situation as an unfortunate overlap in research efforts. The Y Combinator-backed startup explained that their standard procedure involves coordinating directly with project maintainers through GitHub rather than using third-party bounty platforms. This workflow difference, they argue, led to genuine duplication rather than deliberate plagiarism.
In response to the allegations, Gecko has updated relevant blog posts to credit FuzzingLabs researchers Mohammed Benhelli and Patrick Ventuzelo while adjusting publication dates. The company maintains that neither they nor the project maintainers were aware of the prior Huntr reports when they submitted their findings.
The security community remains divided on the matter, with some questioning Gecko’s explanation while others point to systemic challenges in vulnerability coordination. The incident highlights broader concerns about attribution practices in cybersecurity research, particularly as multiple entities increasingly identify similar security flaws through automated scanning tools.
FuzzingLabs’ Patrick Ventuzelo acknowledged Gecko’s corrective actions but expressed lingering concerns about their overall processes. “The original sequence of events and back-dated blog entries raises broader concerns about their entire process,” Ventuzelo told media outlets. “Having identical PoCs and unique markers we inserted ourselves directly collides with their duplicate narrative.”
This confrontation underscores the complex dynamics of credit allocation in responsible vulnerability disclosure, especially as security researchers and companies increasingly operate across multiple platforms with varying coordination mechanisms. The situation demonstrates how competing claims can emerge when different entities identify similar security flaws through parallel research efforts.
(Source: Bleeping Computer)