Cybersecurity company FuzzingLabs has accused the Y Combinator-backed startup, Gecko Security, of replicating its vulnerability disclosures and backdating blog posts.
According to the company, Gecko filed CVEs for two vulnerabilities that FuzzingLabs previously disclosed, and even "copied the PoCs, re-submitted them, and took the credit."
Gecko Security has denied any wrongdoing, calling the allegations a misunderstanding over disclosure processes.
FuzzingLabs cries foul
A public dispute has erupted between two cybersecurity startups, FuzzingLabs and Gecko Security, after the former accused the Y Combinator-backed firm of copying its vulnerability discoveries and claiming credit for multiple CVE IDs.
"They copied our PoCs, claimed CVE IDs, and even back-dated their blog posts," alleges FuzzingLabs on social media.
"This isn't just about two CVEs, it’s about integrity in security research. We follow responsible disclosure. They waited for our public reports, copied the PoCs, re-submitted them, and took the credit."
The vulnerabilities being referred to by FuzzingLabs are:
Ollama (ollama/ollama) server authentication token stealing vulnerability: Original report filed Dec 24th 2024. Later assigned CVE-2025-51471 .
. Gradio (gradio-app/gradio) arbitrary file copy & Denial of Service (DoS) via flagging mechanism: Original report filed Jan 16th 2025. Later assigned CVE-2025-48889.
... continue reading