Overview
Recently, we encountered a situation that underscored the importance of verifiable transparency. A modified version of one of our audit reports was shared online through an unauthorized link pointing to a URL designed to resemble our official domain. We identified and addressed the issue promptly, but the incident reinforced why authenticity and provenance matter deeply in security reporting. This incident was also a reminder of why we began investigating and collaborating on other methods of publishing reports such as digitally signed reports and on-chain publication of audit metadata.
What Happened
The discovery occurred during routine monitoring of public references to our work. Our team noticed an unfamiliar link that closely resembled our domain and distributed a modified version of a genuine report. While the content changes were limited, the impersonation risk was significant, both for our reputation and for anyone relying on an altered report for due diligence. Once identified, we confirmed the report’s authenticity chain, contacted the relevant hosts, and implemented additional preventive measures to mitigate future occurrences.
Understanding Typosquatting
This type of incident is commonly known as “typosquatting,” the practice of registering or using a look-alike domain name to impersonate a trusted source. While often used for phishing or credential theft, typosquatting can also be exploited to distribute modified or misleading documents. The tactic relies on subtle visual similarities. In other words, a single character difference in a URL (as was the case in our example) can be enough to deceive even experienced users.
How Typosquatting Is Addressed Under the UDRP
When typosquatting occurs, the Uniform Domain-Name Dispute-Resolution Policy (UDRP) offers a streamlined way for trademark holders to challenge abusive domain registrations. An ICANN-approved dispute resolution provider, such as World Intellectual Property Organization (WIPO), reviews the case and appoints a panel to determine whether the domain is confusingly similar, lacks legitimate use, and was registered in bad faith. If the panel rules in the complainant’s favor, it can order the domain’s transfer or cancellation, which the ICANN-accredited registrar must then carry out. This low-cost administrative process provides an efficient alternative to litigation and helps remove misleading or malicious look-alike domains from use.
Why Verifiable Transparency Matters
For organizations that publish security research, audits, or vulnerability findings, trust depends not only on technical rigor but also on verifiable provenance. A report’s integrity should be checkable not just by reputation but through technical means.
One of the simpler ways to accomplish this is through multi-location publishing. When a client authorizes us to publish an audit report, we encourage them to do the same so that interested parties can compare both instances to verify that they match. Occasionally, when we discover that a client has published a report without informing us, we publish the corresponding report to preserve our brand integrity and to ensure that the publicly available version matches the one we delivered.
Beyond mirrored publication, we have also been working to make audit reports more verifiable, accessible, and enduring by exploring alternative options, such as publishing them as digital artifacts on the Bitcoin blockchain. Compared to traditional formats such as PDFs or GitHub repositories, digital artifacts provide several advantages:
- They are machine-readable, facilitating the processing and integration of audit data into other systems.
- They are immutable, ensuring reports remain tamper-evident and suitable for long-term archival.
- They exist independently of individual organizations, supporting the principle that security research, especially for decentralized public goods, should remain accessible beyond the lifespan of any single company.
These publishing methods reinforce a long-standing goal: to improve the transparency and usability of audit data for all stakeholders, from client teams to the broader ecosystem. We also continue to explore solutions such as digitally signed reports and on-chain publication of audit metadata. Together, these measures help ensure that even if a document is copied, redistributed, or referenced elsewhere, its authenticity can always be verified.
Continuous Monitoring and Improvement
To date, we have published nearly 200 of more than 300 completed audits. Unfortunately, modified reports may continue to appear. Whether for personal gain, retaliation, or simple mischief, we cannot allow them to be treated as trustworthy. Verifiable transparency is one layer of defense against the risks posed by modified or impersonated reports. Continuous monitoring, rapid response, and regular review of even the most basic assets (for example, domains, links, and publication workflows) are equally important. Incidents of this kind remind us that security is not a static achievement but a continuous process. By combining proactive monitoring with verifiable publication, we can strengthen both the integrity of our work and the trust that underpins the wider ecosystem.