- Immunefi has suspended Trust Security for mischaracterizing a critical bug report.
- Trust Security discovered a theft-of-funds bug but was denied a full bounty payout.
- TrustSec rejected Immunefi’s goodwill offer, citing transparency concerns in Web3.
Immunefi, a leading Web3 bug bounty platform, has imposed a 90-day suspension on Trust Security, a white-hat security firm, following a dispute over a critical bug report.
The suspension follows a controversy that centres around Trust Security’s claims of an unjust denial of a bug bounty for identifying a vulnerability that could lead to the theft of funds.
The bug bounty dispute
On November 12, Trust Security took to X (formerly Twitter) to reveal that its bounty team had discovered a serious vulnerability in a forked mainnet of an unidentified project.
Recently the bounty team at TrustSec found another critical leading to live unauthenticated theft of funds. Due to what we consider malicious behavior of the project and especially of @immunefi , not only did the project get away without paying the bounty, but due to a dirty…
— Trust (@trust__90) November 12, 2024
The bug, described as a theft-of-funds issue, was reported to Immunefi, which facilitates the mediation of bug reports and bounty payments between white-hat hackers and projects. However, the project in question argued that the discovered vulnerability was out of scope and not eligible for a bounty payout.
Immunefi sided with the project’s stance, dismissing the vulnerability as out of scope according to its established rules.
Immunefi offered TrustSec a “goodwill bounty” instead of the full reward, but TrustSec rejected it, arguing that accepting the offer would prevent them from disclosing the bug’s details without the project’s approval.
TrustSec further criticized Immunefi for siding with the project’s “nonsense argument” and for what it perceived as an attempt to suppress transparency in the Web3 ecosystem.
Immunefi, in turn, accused Trust of mischaracterizing the situation and suspended the firm for 90 days. The platform threatened a permanent ban if TrustSec continued to misrepresent the issue.
Immunefi defended its position, stating that the issue was, indeed, out of scope according to its rules and that the project was generous in offering any bounty at all.
Our response to Trust’s tweet:
– We want to be crystal clear: manipulative approaches like this that mischaracterize the issues at hand are unethical and unacceptable. We will be issuing a 90-day suspension. A third and final infraction would result in a permanent ban.
— Immunefi (@immunefi) November 12, 2024
Trust Security, however, emphasized the importance of openness and transparency within the Web3 community, accusing both the underlying project and Immunefi of adopting overly secretive practices that conflict with the principles of the white-hat community.
The dispute has sparked debate among community members, with some questioning Immunefi’s decision to impose a suspension rather than engage in constructive dialogue.
