- Immunefi suspended Trust Security for 90 days over a mischaracterized critical bug report.
- Trust Security discovered a vulnerability that could lead to theft of funds but was denied full bounty payment.
- TrustSec rejected Immunefi’s goodwill offer, citing concerns about transparency in the Web3 ecosystem.
Immunefi, a leading Web3 bug bounty platform, has imposed a 90-day suspension on Trust Security (also referred to as TrustSec), a white-hat security firm, following a dispute over the handling of a reported critical vulnerability.
The suspension follows a public controversy stemming from Trust Security’s claim that it was unfairly denied a full bug bounty after identifying a vulnerability that could potentially enable theft of funds on a live network.
Dispute over the bounty payout
On November 12, Trust Security took to X (formerly Twitter) to announce that its bounty team had found a critical flaw on a forked mainnet of an unnamed project.
Recently the bounty team at TrustSec found another critical leading to live unauthenticated theft of funds. Due to what we consider malicious behavior of the project and especially of @immunefi , not only did the project get away without paying the bounty, but due to a dirty…
— Trust (@trust__90) November 12, 2024
The issue, described by Trust Security as a vulnerability that could facilitate theft of funds, was reported through Immunefi. Immunefi acts as an intermediary that facilitates vulnerability disclosure and bounty payments between security researchers and projects.
The affected project contested the report, arguing that the discovered issue fell outside the scope of eligible vulnerabilities and therefore did not qualify for a bounty payout. Immunefi reviewed the case and sided with the project, determining the report did not meet its payout criteria under the platform’s governed scope.
Instead of granting the full bounty, Immunefi offered Trust Security a “goodwill payment,” which Trust Security declined. Trust Security said accepting that settlement would restrict its ability to disclose the vulnerability details without the project’s consent, limiting transparency.
Trust Security publicly criticized Immunefi for supporting what it described as the project’s “spurious” arguments and for appearing to suppress transparency within the Web3 community.
In response, Immunefi accused Trust Security of misrepresenting the circumstances. The platform issued a 90-day suspension and warned that continued mischaracterizations could lead to a permanent ban.
Our response to Trust’s tweet:
– We want to be crystal clear: manipulative approaches like this that mischaracterize the issues at hand are unethical and unacceptable. We will be issuing a 90-day suspension. A third and final infraction would result in a permanent ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Trust Security emphasized the importance of openness and accountability in the Web3 security community, accusing both the underlying project and Immunefi of favoring opaque practices that conflict with white-hat principles. The firm maintained that public disclosure and transparent discussion are essential to protect users and strengthen ecosystem security.
The dispute sparked debate within the Web3 community. Some members questioned Immunefi’s decision to suspend Trust Security rather than engage in a more collaborative resolution process. Others supported the platform’s enforcement of its rules and scope definitions to ensure consistent bounty adjudication.
Ultimately, the incident highlights tension between researchers, projects, and platforms over scope interpretation, disclosure practices, and the balance between incentivizing vulnerability reporting and preventing misleading public statements. As both sides continue to defend their positions, the episode has renewed calls for clearer guidelines and more transparent dispute-resolution mechanisms across Web3 security programs.