- Immunefi suspended Trust Security for 90 days after accusing the firm of mischaracterizing a critical bug report.
- Trust Security says it discovered a vulnerability that could enable theft of funds but was denied full bounty payment.
- TrustSec rejected Immunefi’s goodwill offer, citing concerns about transparency in the Web3 ecosystem.
Leading Web3 bug bounty platform Immunefi has issued a 90-day account suspension to white-hat security firm Trust Security following a dispute over a critical vulnerability report.
The suspension stems from a disagreement in which Trust Security alleges it identified a flaw that could lead to fund theft but had the bounty claim improperly denied.
Bug bounty dispute
On November 12, Trust Security posted on X (formerly Twitter) that its bounty team had discovered a critical vulnerability on a forked mainnet of an unnamed project that could enable live, unauthenticated theft of funds. The firm also accused the project and Immunefi of acting maliciously by refusing to pay the full bounty.
Recently the bounty team at TrustSec found another critical leading to live unauthenticated theft of funds. Due to what we consider malicious behavior of the project and especially of @immunefi , not only did the project get away without paying the bounty, but due to a dirty…
— Trust (@trust__90) November 12, 2024
The vulnerability, described by Trust Security as a potential theft vector, was reported through Immunefi’s platform, which mediates vulnerability disclosures and bounty payments between white-hat researchers and projects. The project in question responded by asserting the issue was out of scope and therefore not eligible for a bounty payout.
Immunefi sided with the project, ruling the vulnerability out of scope under its established rules and dismissing the claim. Instead of awarding the full bounty, Immunefi offered Trust Security a “good-faith” payment. Trust Security rejected that offer, arguing that accepting it would prevent them from publicly disclosing the technical details of the bug without the project’s consent.
Trust Security further criticized Immunefi for aligning with what it called the project’s “nonsensical arguments,” and accused the platform of attempting to suppress transparency across the Web3 ecosystem. In response, Immunefi accused Trust of misrepresenting the situation, announced the 90-day suspension, and warned that continued mischaracterizations could lead to a permanent ban.
Immunefi defended its decision, stating the report violated platform rules and noting that the project had still shown goodwill by offering a bounty.
Our response to Trust’s tweet:
– We want to be crystal clear: manipulative approaches like this that mischaracterize the issues at hand are unethical and unacceptable. We will be issuing a 90-day suspension. A third and final infraction would result in a permanent ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Trust Security emphasized the importance of openness and transparency in the Web3 community, accusing both the underlying project and Immunefi of adopting overly secretive practices that conflict with the white-hat community’s norms. The dispute has sparked debate among community members, with some questioning Immunefi’s decision to suspend the account rather than pursue a more constructive, transparent dialogue.