- Immunefi has suspended Belief Safety for mischaracterizing a crucial bug report.
- Belief Safety found a theft-of-funds bug however was denied a full bounty payout.
- TrustSec rejected Immunefi’s goodwill provide, citing transparency considerations in Web3.
Immunefi, a number one Web3 bug bounty platform, has imposed a 90-day suspension on Belief Safety, a white-hat safety agency, following a dispute over a crucial bug report.
The suspension follows an issue that centres round Belief Safety’s claims of an unjust denial of a bug bounty for figuring out a vulnerability that would result in the theft of funds.
The bug bounty dispute
On November 12, Belief Safety took to X (previously Twitter) to disclose that its bounty staff had found a severe vulnerability in a forked mainnet of an unidentified mission.
Lately the bounty staff at TrustSec discovered one other crucial resulting in dwell unauthenticated theft of funds. Attributable to what we take into account malicious habits of the mission and particularly of @immunefi , not solely did the mission get away with out paying the bounty, however as a consequence of a unclean…
— Belief (@trust__90) November 12, 2024
The bug, described as a theft-of-funds situation, was reported to Immunefi, which facilitates the mediation of bug stories and bounty funds between white-hat hackers and tasks. Nevertheless, the mission in query argued that the found vulnerability was out of scope and never eligible for a bounty payout.
Immunefi sided with the mission’s stance, dismissing the vulnerability as out of scope based on its established guidelines.
Immunefi supplied TrustSec a “goodwill bounty” as a substitute of the total reward, however TrustSec rejected it, arguing that accepting the provide would stop them from disclosing the bug’s particulars with out the mission’s approval.
TrustSec additional criticized Immunefi for siding with the mission’s “nonsense argument” and for what it perceived as an try to suppress transparency within the Web3 ecosystem.
Immunefi, in flip, accused Belief of mischaracterizing the scenario and suspended the agency for 90 days. The platform threatened a everlasting ban if TrustSec continued to misrepresent the problem.
Immunefi defended its place, stating that the problem was, certainly, out of scope based on its guidelines and that the mission was beneficiant in providing any bounty in any respect.
Our response to Belief’s tweet:
– We need to be crystal clear: manipulative approaches like this that mischaracterize the problems at hand are unethical and unacceptable. We can be issuing a 90-day suspension. A 3rd and ultimate infraction would end in a everlasting ban.
-… https://t.co/LcCGcBKvOr
— Immunefi (@immunefi) November 12, 2024
Belief Safety, nonetheless, emphasised the significance of openness and transparency inside the Web3 group, accusing each the underlying mission and Immunefi of adopting overly secretive practices that battle with the rules of the white-hat group.
The dispute has sparked debate amongst group members, with some questioning Immunefi’s choice to impose a suspension relatively than interact in constructive dialogue.