- Immunefi has suspended Belief Safety for mischaracterizing a essential bug report.
- Belief Safety found a theft-of-funds bug however was denied a full bounty payout.
- TrustSec rejected Immunefi’s goodwill supply, citing transparency issues in Web3.
Immunefi, a number one Web3 bug bounty platform, has imposed a 90-day suspension on Belief Safety, a white-hat safety agency, following a dispute over a essential bug report.
The suspension follows an issue that centres round Belief Safety’s claims of an unjust denial of a bug bounty for figuring out a vulnerability that would result in the theft of funds.
The bug bounty dispute
On November 12, Belief Safety took to X (previously Twitter) to disclose that its bounty group had found a critical vulnerability in a forked mainnet of an unidentified undertaking.
Not too long ago the bounty group at TrustSec discovered one other essential resulting in dwell unauthenticated theft of funds. As a result of what we contemplate malicious habits of the undertaking and particularly of @immunefi , not solely did the undertaking get away with out paying the bounty, however resulting from a unclean…
— Belief (@trust__90) November 12, 2024
The bug, described as a theft-of-funds problem, was reported to Immunefi, which facilitates the mediation of bug stories and bounty funds between white-hat hackers and initiatives. Nonetheless, the undertaking in query argued that the found vulnerability was out of scope and never eligible for a bounty payout.
Immunefi sided with the undertaking’s stance, dismissing the vulnerability as out of scope in line with its established guidelines.
Immunefi supplied TrustSec a “goodwill bounty” as a substitute of the complete reward, however TrustSec rejected it, arguing that accepting the supply would stop them from disclosing the bug’s particulars with out the undertaking’s approval.
TrustSec additional criticized Immunefi for siding with the undertaking’s “nonsense argument” and for what it perceived as an try to suppress transparency within the Web3 ecosystem.
Immunefi, in flip, accused Belief of mischaracterizing the state of affairs and suspended the agency for 90 days. The platform threatened a everlasting ban if TrustSec continued to misrepresent the problem.
Immunefi defended its place, stating that the problem was, certainly, out of scope in line with its guidelines and that the undertaking was beneficiant in providing any bounty in any respect.
Our response to Belief’s tweet:
– We need to be crystal clear: manipulative approaches like this that mischaracterize the problems at hand are unethical and unacceptable. We shall be issuing a 90-day suspension. A 3rd and last infraction would lead to a everlasting ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Belief Safety, nonetheless, emphasised the significance of openness and transparency inside the Web3 group, accusing each the underlying undertaking and Immunefi of adopting overly secretive practices that battle with the rules of the white-hat group.
The dispute has sparked debate amongst group members, with some questioning Immunefi’s resolution to impose a suspension quite than interact in constructive dialogue.