- Immunefi has suspended Belief Safety for mischaracterizing a vital bug report.
- Belief Safety found a theft-of-funds bug however was denied a full bounty payout.
- TrustSec rejected Immunefi’s goodwill provide, citing transparency issues in Web3.
Immunefi, a number one Web3 bug bounty platform, has imposed a 90-day suspension on Belief Safety, a white-hat safety agency, following a dispute over a vital bug report.
The suspension follows an argument that centres round Belief Safety’s claims of an unjust denial of a bug bounty for figuring out a vulnerability that would result in the theft of funds.
The bug bounty dispute
On November 12, Belief Safety took to X (previously Twitter) to disclose that its bounty group had found a severe vulnerability in a forked mainnet of an unidentified mission.
Lately the bounty group at TrustSec discovered one other vital resulting in dwell unauthenticated theft of funds. On account of what we think about malicious habits of the mission and particularly of @immunefi , not solely did the mission get away with out paying the bounty, however resulting from a grimy…
— Belief (@trust__90) November 12, 2024
The bug, described as a theft-of-funds challenge, was reported to Immunefi, which facilitates the mediation of bug studies and bounty funds between white-hat hackers and tasks. Nevertheless, the mission in query argued that the found vulnerability was out of scope and never eligible for a bounty payout.
Immunefi sided with the mission’s stance, dismissing the vulnerability as out of scope based on its established guidelines.
Immunefi provided TrustSec a “goodwill bounty” as an alternative of the complete reward, however TrustSec rejected it, arguing that accepting the provide would forestall them from disclosing the bug’s particulars with out the mission’s approval.
TrustSec additional criticized Immunefi for siding with the mission’s “nonsense argument” and for what it perceived as an try to suppress transparency within the Web3 ecosystem.
Immunefi, in flip, accused Belief of mischaracterizing the scenario and suspended the agency for 90 days. The platform threatened a everlasting ban if TrustSec continued to misrepresent the problem.
Immunefi defended its place, stating that the problem was, certainly, out of scope based on its guidelines and that the mission was beneficiant in providing any bounty in any respect.
Our response to Belief’s tweet:
– We need to be crystal clear: manipulative approaches like this that mischaracterize the problems at hand are unethical and unacceptable. We might be issuing a 90-day suspension. A 3rd and remaining infraction would end in a everlasting ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Belief Safety, nevertheless, emphasised the significance of openness and transparency inside the Web3 neighborhood, accusing each the underlying mission and Immunefi of adopting overly secretive practices that battle with the ideas of the white-hat neighborhood.
The dispute has sparked debate amongst neighborhood members, with some questioning Immunefi’s determination to impose a suspension relatively than interact in constructive dialogue.