- Immunefi has suspended Belief Safety for misinterpreting a important bug report.
- Belief Safety found a funds theft bug however was denied full bounty fee.
- TrustSec rejected Immunefi's goodwill supply, citing transparency points in Web3.
Immunefi, a number one Web3 bug bounty platform, has imposed a 90-day suspension on Belief Safety, a white hat safety firm, following a dispute over a important bug report.
The suspension follows controversy centered on Belief Safety's allegations that an unfair denial of a bug bounty for figuring out a vulnerability might result in the theft of funds.
The bug bounty battle
On November 12, Belief Safety took to X (previously Twitter) to disclose that its bounty staff had found a critical vulnerability in a mainnet fork of an unidentified undertaking.
Just lately, the TrustSec bounty staff found one other important concern resulting in unauthenticated fund theft. As a result of what we think about to be malicious habits of the undertaking and particularly of @immunefi not solely did the undertaking run away with out paying the premium, however due to a unclean…
– Belief (@trust__90) November 12, 2024
The bug, described as a fund theft concern, was reported to Immunefi, which facilitates the mediation of bug stories and bounty funds between hackers and initiatives. Nonetheless, the undertaking in query argued that the found vulnerability was out of scope and never eligible for a bounty.
Immunefi sided with the undertaking, dismissing the vulnerability as out of scope beneath its established guidelines.
Immunefi provided TrustSec a “goodwill bonus” as a substitute of the complete reward, however TrustSec rejected it, arguing that accepting the supply would forestall them from disclosing particulars of the bug with out undertaking approval.
TrustSec additional criticized Immunefi for siding with the undertaking's “absurd argument” and what it perceived as an try to take away transparency within the Web3 ecosystem.
Immunefi, in flip, accused Belief of misrepresenting the state of affairs and suspended the corporate for 90 days. The platform threatened a everlasting ban if TrustSec continued to misrepresent the problem.
Immunefi defended its place, stating that the problem was certainly out of scope beneath its guidelines and that the undertaking was being beneficiant in providing the slightest bounty.
Our response to Belief's tweet:
– We wish to be very clear: manipulative approaches like this, which misrepresent the problems at hand, are unethical and unacceptable. We are going to impose a 90-day suspension. A 3rd and closing offense would end in a everlasting ban.
-… https://t.co/LcCGcBKvOr
– Immunetic (@immunefi) November 12, 2024
Belief Safety, nevertheless, careworn the significance of openness and transparency inside the Web3 neighborhood, accusing each the underlying undertaking and Immunefi of adopting overly secretive practices that battle with the rules of the white hat neighborhood.
The dispute sparked debate amongst neighborhood members, with some questioning Immunefi's determination to impose a suspension slightly than interact in constructive dialogue.
