Web3 bug bounty platform Immunefi issued a 90-day suspension on white hat security firm Trust Security. The decision was made after the latter accused Immunefi of unjust denial of bug bounty payment for discovering a critical bug that could potentially lead to the theft of funds.
On Nov. 12, Trust Security revealed on X that its bounty team identified a critical theft-of-funds vulnerability on a forked mainnet of an unidentified project. The proof-of-concept of the vulnerability was shared with Immunefi, which acts as a mediator between the white hats and projects to ensure bounty payments are made on credible bug identifications.
Critical bug dismissed as “out of scope” report However, the project claimed that Trust Security detected an out-of-scope bug, which would effectively disqualify the white hats from earning bounty rewards.
According to Trust, Immunefi wrongly sided with the project’s “nonsense argument” and offered a “tiny goodwill bounty” instead of the full reward for identifying critical bugs. Immunefi threatens a permanent ban on TrustSec Immunefi rebutted Trust’s claims of unjust payout and issued a 90-day suspension for “mischaracterizing the issues at hand.” The bug bounty platform also threatened to permanently ban Trust if it repeated the infraction.
Immunefi stood firm in supporting the project: “In this case, we agreed with the project because the issue was absolutely out of scope according to our standard rules. The project was generous to offer a bounty at all.” However, Trust rejected the goodwill bounty as accepting it would legally prevent them from publishing the details without approval, adding, “We rather expose the scam and warn hackers than having a few extra Ks in our pocket.”
Additionally, Trust urged for greater transparency and openness: “We’re going public because the shady, ultra-secretive behavior we’re seeing from projects and some bounty platforms goes directly against the Web3 ethos and the white hat community.” Some crypto community members on X questioned Immunefi’s decision to impose a ban on Trust instead of engaging in a constructive dialogue. Immunefi did not respond to Cointelegraph’s request for comment. In October, Evmos Blockchain paid a $150,000 bounty reward to a security researcher who identified a critical bug by reading the Cosmos Network documentation.
According to the pseudonymous Spearbit security researcher jayjonah.eth, the critical bug could have halted the Evmos blockchain and all decentralized applications built on it.