- Immunefi has suspended Belief Safety for mischaracterizing a crucial bug report.
- Belief Safety found a theft-of-funds bug however was denied a full bounty payout.
- TrustSec rejected Immunefi’s goodwill supply, citing transparency issues in Web3.
Immunefi, a number one Web3 bug bounty platform, has imposed a 90-day suspension on Belief Safety, a white-hat safety agency, following a dispute over a crucial bug report.
The suspension follows an issue that centres round Belief Safety’s claims of an unjust denial of a bug bounty for figuring out a vulnerability that might result in the theft of funds.
The bug bounty dispute
On November 12, Belief Safety took to X (previously Twitter) to disclose that its bounty crew had found a critical vulnerability in a forked mainnet of an unidentified undertaking.
Not too long ago the bounty crew at TrustSec discovered one other crucial resulting in reside unauthenticated theft of funds. As a consequence of what we think about malicious conduct of the undertaking and particularly of @immunefi , not solely did the undertaking get away with out paying the bounty, however on account of a unclean…
— Belief (@trust__90) November 12, 2024
The bug, described as a theft-of-funds concern, was reported to Immunefi, which facilitates the mediation of bug stories and bounty funds between white-hat hackers and tasks. Nevertheless, the undertaking in query argued that the found vulnerability was out of scope and never eligible for a bounty payout.
Immunefi sided with the undertaking’s stance, dismissing the vulnerability as out of scope in keeping with its established guidelines.
Immunefi provided TrustSec a “goodwill bounty” as an alternative of the total reward, however TrustSec rejected it, arguing that accepting the supply would stop them from disclosing the bug’s particulars with out the undertaking’s approval.
TrustSec additional criticized Immunefi for siding with the undertaking’s “nonsense argument” and for what it perceived as an try to suppress transparency within the Web3 ecosystem.
Immunefi, in flip, accused Belief of mischaracterizing the scenario and suspended the agency for 90 days. The platform threatened a everlasting ban if TrustSec continued to misrepresent the difficulty.
Immunefi defended its place, stating that the difficulty was, certainly, out of scope in keeping with its guidelines and that the undertaking was beneficiant in providing any bounty in any respect.
Our response to Belief’s tweet:
– We wish to be crystal clear: manipulative approaches like this that mischaracterize the problems at hand are unethical and unacceptable. We can be issuing a 90-day suspension. A 3rd and remaining infraction would lead to a everlasting ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Belief Safety, nevertheless, emphasised the significance of openness and transparency inside the Web3 neighborhood, accusing each the underlying undertaking and Immunefi of adopting overly secretive practices that battle with the ideas of the white-hat neighborhood.
The dispute has sparked debate amongst neighborhood members, with some questioning Immunefi’s resolution to impose a suspension somewhat than interact in constructive dialogue.
