A public dispute has erupted between two cybersecurity startups, FuzzingLabs and the Y Combinator-backed Gecko Security, after FuzzingLabs accused its competitor of replicating its vulnerability disclosures and backdating blog posts to steal credit.
Allegations of Plagiarism and Backdating
FuzzingLabs alleges that Gecko Security copied its original proof-of-concepts (PoCs), resubmitted them, and claimed CVE IDs for two vulnerabilities that FuzzingLabs had previously disclosed: an authentication token stealing vulnerability in Ollama and an arbitrary file copy vulnerability in Gradio.
FuzzingLabs claims to have "indisputable evidence" of line-by-line copying because the exploits contained "unique fingerprints we intentionally inserted to identify our work" in the event of plagiarism. Furthermore, FuzzingLabs accused Gecko of backdating its blog posts to make its reports appear older than the original, legitimate public disclosures.
Gecko's Response and Mitigation
Gecko Security has denied any intentional wrongdoing, characterizing the situation as an unfortunate overlap or misunderstanding over disclosure processes. The company subsequently edited its blog posts, updating the publishing dates and crediting FuzzingLabs researchers Mohammed Benhelli and Patrick Ventuzelo. Gecko explained that its workflow involves coordinating directly with project maintainers rather than using third-party platforms like the one FuzzingLabs used, which may have led to the duplication.
Despite Gecko's efforts to clarify, FuzzingLabs insisted that having identical PoCs and unique internal markers directly contradicts the narrative of simple duplication. The incident highlights broader issues of integrity, credit, and coordination within the security community as researchers independently identify similar flaws.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
