Immunefi suspended Trust Security for mischaracterizing a critical bug report. Trust Security discovered the funds theft bug, but refused to pay out the bounty in full. TrustSec rejected Immunefi’s goodwill offer, citing concerns about transparency in Web3.
Immunefi, the leading Web3 bug bounty platform, has imposed a 90-day suspension on whitehat security firm Trust Security following a dispute over a critical bug report.
The suspension followed a controversy centered on Trust Security’s claims that it was unfairly denied a bug bounty for identifying vulnerabilities that could lead to the theft of funds.
Bug bounty controversy
On November 12, Trust Security revealed to X (formerly Twitter) that its bounty team discovered a critical vulnerability in the forked mainnet of an unidentified project.
Recently, TrustSec’s bounty team discovered another significant incident that resulted in the theft of illicit funds. Due to what we believe to be malicious behavior on the part of the project, especially @immunefi, the project not only got away with not paying the bounty, but it was also due to dirty deeds.
— Trust (@trust__90) November 12, 2024
This bug was described as a fund theft issue and reported to Immunefi. Immunefi facilitates bug reporting and bounty payments between white hat hackers and projects. However, the project in question argued that the discovered vulnerabilities were not covered and would not be eligible for bounty payments.
Immunefi supported the project’s position and dismissed the vulnerability as not covered in accordance with established rules.
Immunefi offered TrustSec a “goodwill bounty” instead of the full fee, but TrustSec rejected the offer, arguing that accepting the offer would prevent it from disclosing details of the bug without the project’s approval. .
TrustSec also criticized Immunefi for supporting the project’s “nonsense arguments” and for what it deemed to be an attempt to stifle transparency in the Web3 ecosystem.
Meanwhile, Imnefi accused Trust of misrepresenting the situation and suspended the company for 90 days. The platform threatened to permanently ban TrustSec if it continued to falsely report on the issue.
Immunefi defended its position, saying that the issue was indeed outside the scope of its regulations and that the project was willing to offer any incentives.
Our response to the Trust’s tweet is below.
– We want to be clear: such a manipulative approach that mischaracterizes the issue at hand is unethical and unacceptable. We will suspend business for 90 days. The third and final violation will result in a permanent ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
However, Trust Security emphasizes the importance of openness and transparency within the Web3 community, stating that both the underlying project and Immunefi have adopted overly secretive practices that go against the principles of a white hat community. I accused him of being there.
The controversy has sparked debate among community members, with some questioning Immunefi’s decision to impose the moratorium without engaging in constructive dialogue.
