Immunefi halts TrustSec over bug bounty dispute

Immunefi has suspended Trust Security for 90 days following a dispute over a bug bounty payment, raising concerns about fairness on Web3 platforms, according to reports on November 13, 2024.

On November 12, Trust Security announced on X that its bounty team had discovered a critical vulnerability on a forked mainnet of an unnamed project, which could allow the theft of funds.

"We rather expose the scam and warn hackers than having a few extra Ks in our pocket," Trust Security stated, emphasising their commitment to security over monetary gain.

The team provided a proof-of-concept of the vulnerability to Immunefi, the platform that mediates between white hat hackers and projects to ensure credible bug reports receive bounty payments.

However, the project deemed the reported bug as “out of scope,” effectively disqualifying Trust Security from receiving the full bounty reward.

Trust Security argued that Immunefi improperly sided with the project’s stance and offered only a “tiny goodwill bounty” instead of the appropriate reward for identifying a critical issue.

“In this case, we agreed with the project because the issue was absolutely out of scope according to our standard rules. The project was generous to offer a bounty at all,” Immunefi maintained, justifying their decision based on their standard rules.

Additionally, Immunefi threatened a permanent ban on TrustSec if similar disputes occurred in the future.

Trust Security has called for greater transparency and criticised the opaque behavior of some projects and bounty platforms.

“We’re going public because the shady, ultra-secretive behavior we’re seeing from projects and some bounty platforms goes directly against the Web3 ethos and the white hat community,” Trust Security added.

The crypto community has expressed skepticism about Immunefi’s decision, questioning whether a permanent ban is a fair response instead of fostering a constructive dialogue. Immunefi has not responded to requests for further comments from Cointelegraph.

This incident follows a recent payout by the Evmos blockchain, which awarded a $150,000 bounty to a researcher for identifying a critical bug, highlighting the ongoing challenges in the bug bounty landscape.