- Immunefi suspended Trust Security after disputing the characterization of a critical bug report.
- Trust Security discovered a vulnerability that could enable theft of funds but was denied a full bounty payout.
- TrustSec rejected Immunefi’s goodwill offer, citing concerns about transparency in the Web3 ecosystem.
Immunefi, a leading bug bounty platform for Web3, imposed a 90-day suspension on security firm Trust Security following a dispute over the handling of a reported critical vulnerability.
The suspension stems from a disagreement about Trust Security’s claim that it was unfairly denied a bounty after discovering a flaw that could lead to the theft of funds.
Dispute over the bounty payout
On November 12, Trust Security posted on X (formerly Twitter) that its bounty team had uncovered a serious vulnerability affecting the mainnet of an unnamed project.
Recently the bounty team at TrustSec found another critical leading to live unauthenticated theft of funds. Due to what we consider malicious behavior of the project and especially of @immunefi , not only did the project get away without paying the bounty, but due to a dirty…
— Trust (@trust__90) November 12, 2024
The team reported the issue to Immunefi, which facilitates bug reports and bounty payments between white-hat researchers and projects. The project involved, however, contended that the reported vulnerability fell outside the scope of bounty eligibility.
Immunefi sided with the project, ruling that the issue did not meet the platform’s criteria for a payable vulnerability. As a compromise, Immunefi offered Trust Security a “goodwill” payment rather than the full bounty. Trust Security rejected that offer, stating that accepting it would limit their ability to disclose technical details of the vulnerability without the project’s consent.
Trust Security publicly criticized Immunefi for supporting what it called the project’s “absurd” argument and for appearing to suppress transparency in the Web3 space.
In response, Immunefi accused Trust Security of mischaracterizing the facts and announced a 90-day suspension of the firm from its platform. Immunefi warned that further infractions could lead to a permanent ban, and defended its decision by reiterating that the vulnerability was outside its published rules and that the project had already been willing to provide some form of compensation.
Our response to Trust’s tweet:
– We want to be crystal clear: manipulative approaches like this that mischaracterize the issues at hand are unethical and unacceptable. We will be issuing a 90-day suspension. A third and final infraction would result in a permanent ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Trust Security emphasized the importance of openness and transparency within the Web3 community, accusing both the affected project and Immunefi of resorting to overly secretive practices that conflict with the norms of the white-hat community.
The dispute sparked debate across the community, with some members questioning Immunefi’s decision to suspend Trust Security rather than engage in a more constructive, transparent dialogue to resolve the disagreement.