Immunefi, a leading Web3 bug bounty platform, has issued a 90-day suspension on Trust Security, a well-known white-hat security firm, after a dispute over a critical vulnerability discovered by Trust’s team. The disagreement centers on the platform’s decision to deny full payment for identifying a severe bug that could potentially have allowed the theft of funds. This issue raises broader concerns about transparency and fairness within the bug bounty ecosystem.
On November 12, 2024, Trust Security took to X (formerly Twitter) to reveal that its bounty team had discovered a critical vulnerability in a forked mainnet of an undisclosed Web3 project. According to Trust, the bug posed a significant threat, with the potential for fund theft from users and the platform. Trust Security shared the proof-of-concept of the vulnerability with Immunefi, which typically mediates between security researchers (white hats) and the projects they report bugs to, ensuring fair bounty payouts for identified vulnerabilities.
Despite the severity of the bug, Immunefi sided with the project’s claim that the vulnerability was “out of scope” for the bug bounty program. This decision effectively meant that Trust Security would not receive the full bounty reward for discovering the issue. Trust Security strongly disagreed with this conclusion, accusing Immunefi of endorsing what it termed a “nonsense argument” from the project, which ultimately led to the platform offering Trust a “tiny goodwill bounty” instead of the full payment they felt was justified for identifying a critical flaw.
Immunefi responded by defending its stance and issued a 90-day suspension to Trust Security, accusing the firm of mischaracterizing the issues at hand. The platform emphasized that it had sided with the project because, according to Immunefi’s standard rules, the reported bug was out of scope. Immunefi further criticized Trust’s rejection of the goodwill bounty, which it argued was a generous gesture given the circumstances.
Immunefi also warned Trust that a permanent ban would be issued if the firm repeated similar actions in the future. The platform reiterated its position, stating:
“In this case, we agreed with the project because the issue was absolutely out of scope according to our standard rules. The project was generous to offer a bounty at all.”
Trust Security’s Response: Transparency Over Payment Dispute
Trust Security rejected Immunefi’s “goodwill bounty” offer, stating that accepting it would have legally prevented them from publishing the details of the vulnerability without prior approval. Trust expressed their commitment to exposing security flaws and warning others in the community, rather than accepting a lesser payout.
Trust argued that the situation highlighted larger issues with the Web3 bug bounty ecosystem, claiming that such practices went against the core values of transparency and openness in the Web3 space. The firm pointed out that some bounty platforms and projects operate in a “shady, ultra-secretive” manner, which undermines the ethos of the white-hat community.
“We rather expose the scam and warn hackers than having a few extra Ks in our pocket.”
The Community Reacts: Questions Over Immunefi’s Approach
The decision to suspend Trust Security has sparked a debate within the crypto community, with many questioning whether Immunefi should have engaged in a more constructive dialogue instead of issuing a suspension. Critics argue that the situation could have been resolved through more transparent communication and collaboration between all parties involved.
Immunefi did not provide a comment in response to Cointelegraph’s request, leaving the community to speculate on the platform’s rationale behind its suspension and the handling of the dispute.
This incident follows several high-profile bug bounty payouts in the Web3 space, where researchers have received substantial rewards for identifying critical vulnerabilities. For instance, in October 2024, Evmos Blockchain paid out $150,000 to a security researcher who discovered a critical flaw that could have caused the network to halt. The discovery of such vulnerabilities underscores the importance of fair and transparent processes for rewarding those who help protect Web3 ecosystems.
The ongoing dispute between Immunefi and Trust Security shines a spotlight on the challenges of managing bug bounty programs in the rapidly evolving Web3 space. As Web3 projects continue to grow, ensuring fairness, transparency, and community-driven governance will be crucial for maintaining trust between security researchers, projects, and bounty platforms.
As the issue unfolds, the Web3 community may look for clearer guidelines and more robust processes that can prevent similar conflicts in the future and encourage greater collaboration in the fight against vulnerabilities.
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up