Following a conflict over a bug bounty payment, well-known Web3 bug bounty platform Immunefi has suspended Trust Security (TrustSec), a white-hat cybersecurity company, for ninety days. This behavior has raised concerns about fairness and transparency within the Web3 security ecosystem.
The problem started on November 12 when TrustSec revealed their team had found a serious vulnerability in a forked mainnet of an unidentified project. Reported to Immunefi, who manages correspondence between blockchain initiatives and ethical hackers, the issue raised a possible risk of financial theft. Though Immunefi declared the issue “out of scope” under their policies, meaning the vulnerability did not fit for a full payout, TrustSec expected a full bounty for their discovery.
Immunefi responded with a lesser “goodwill bounty.” TrustSec turned down this offer, saying that taking it would legally forbid them from revealing specifics of the vulnerability without the project’s permission. They also stated that Immunefi’s decision undermined the open values of the Web3 community and lacked transparency. Accepting the goodwill offer would jeopardize their credibility as ethical hackers who prioritize warning the community about potential threats, according to TrustSec.
Immunefi asserted that they strictly adhered to their standards and acknowledged that the flaw was not within the scope of the incentive program. Immunefi asserted that the project had been generous in providing no incentives. Under public criticism from TrustSec, Immunefi suspended the security company for ninety days and issued a warning about more mischaracterizations possibly resulting in a permanent ban.
TrustSec insisted, though, that the flaw was legitimate and that declining the prize offer stood for openness. They also expressed concern about the level of secrecy that some Web3 projects and platforms operate with, and they demanded greater industry transparency to protect consumers and support the ethical hacking community.
The event has sparked a discussion in the Web3 security scene, with some community members questioning whether a suspension was the appropriate response. They contend that by encouraging cooperation and trust between security researchers and platforms, a more positive discourse might help the ecology.
