Sui Fobbed Off My Disclosure That Nearly 40% of Their Validators Are Exposed

I built a tool called PGDN.ai that analyses DeFi/L1 networks for misconfigurations, CVEs, exposed services, etc. I started with Sui because I had a contact there. I didn’t expect much from one of the largest chains. What I found was wild.

- Nearly 40% of validators are running with serious misconfigurations: open SSH, CVEs, default services, no firewalls. - The majority expose the exact Ubuntu version. They didn’t give a sausage. - I flagged multiple validators with default Apache landing pages on 80, all with a CVE. They said, "that’s by design!" - They cannot tell the difference between RPC & HTTP. - Port 2375 (usually Docker) was open - they actually just denied this.

For context: I was CTO of a crypto exchange for 4 years, and have spent 20 years in security. It's not my first rodeo as they say.

When I disclosed responsibly, their response was bizarre:

'A CVE is only exploitable if you know how to exploit it.'

They brushed it off as a "bug bounty". I was not looking for a quick buck, I was looking to help them.

After I spoke to a journalist, their comms team even told my contact not to discuss it further.

I eventually wrote up a simulated attack doc:

Full report (technical): https://github.com/pgdn-network/sui-network-report-250819 Blog (overview): https://paragraph.com/@pgdn/40percent-of-sui-validators-exposed

To me, this shows a systemic lack of security hygiene in a network securing billions of $$$. Given the right tools, an organised group could easily take Sui offline. (I am personally selling all my Sui because of this.)

So my question: is this lack of secops understanding, lack of genuine concern, or something else? I have really struggled to get this out there with my limited public "followers". Would appreciate any input!