# Scan Notes: Chia Network `chia-blockchain`

Date: 2026-02-15  
Repo: https://github.com/Chia-Network/chia-blockchain  
Program: HackerOne Chia Network

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 11 findings
- 5 GitHub Actions interpolation warnings
- 2 `pickle` findings are in tests (`chia/_tests/...`)
- 2 unverified SSL context findings (likely tooling/tests)
- 2 subprocess-related audit warnings

Trufflehog (filesystem, filtered, no verification):
- 81 `PrivateKey` detections, all in simulator SSL cert fixtures under `chia/simulator/ssl_certs_*.py` (test/dev material)

## Takeaway

Nothing immediately bounty-grade from automated scans; likely needs manual review of RPC/network surfaces and wallet/key handling if we keep hunting here.