White hat hackers discovered a critical vulnerability, but were left without payments.
The Immunefi platform, which specializes in finding vulnerabilities in Web3 projects, has suspended cooperation with Trust Security for 90 days. The reason was a conflict over a reward for a critical vulnerability discovered.
On November 12, the Trust Security team announced on the X social network that a critical vulnerability had been discovered in the fork of the mainnet of an unnamed project. The company's specialists handed over a proof of concept vulnerability to the Immunefi platform, which acts as an intermediary between security researchers and projects to ensure fair reward payments.
However, the project in which the vulnerability was found said that the problem was "outside the scope" of the agreement, effectively depriving Trust Security of the right to bounty. According to Trust Security, the Immunefi platform illegally supported the project's position and offered symbolic compensation instead of full payment for a critical vulnerability.
In response to public criticism, Immunefi temporarily blocked Trust Security for 90 days for "misrepresenting the essence of the problem." The platform also warned of a possible permanent ban in case of a repeated violation.
"The reason for the suspension is an unethical, unscrupulous misrepresentation of the issue and damage to our reputation, which we believe goes far beyond criticism. Criticism is acceptable, but not in this form," said the representative of Immunefi.
Immunefi insists on the correct solution: "In this case, we agreed with the project because the problem was completely outside the testing perimeter according to our standard rules. The project has been generous in offering any reward at all."
Trust Security refused to accept the symbolic compensation, saying, "We would rather expose the fraud and warn hackers than have the extra thousands in our account."
Immunefi also told Cointelegraph that it does not consider Trust Security's finding to be a full-fledged vulnerability, as exploitation requires an unintended user action to grant infinite approval of a smart contract. "To execute the attack, the attacker will need to either wait for such endless approval or gain physical access to the user's private keys. In such a situation, anything is possible," the company explained.
Trust Security called for more transparency: "We are making the situation public because the suspicious, top-secret behavior we are seeing from projects and some vulnerability search platforms goes against Web3 ethics and the white hat hacker community."
Some members of the crypto community in X criticized Immunefi's decision to block Trust Security instead of a constructive dialogue.
Source
The Immunefi platform, which specializes in finding vulnerabilities in Web3 projects, has suspended cooperation with Trust Security for 90 days. The reason was a conflict over a reward for a critical vulnerability discovered.
On November 12, the Trust Security team announced on the X social network that a critical vulnerability had been discovered in the fork of the mainnet of an unnamed project. The company's specialists handed over a proof of concept vulnerability to the Immunefi platform, which acts as an intermediary between security researchers and projects to ensure fair reward payments.
However, the project in which the vulnerability was found said that the problem was "outside the scope" of the agreement, effectively depriving Trust Security of the right to bounty. According to Trust Security, the Immunefi platform illegally supported the project's position and offered symbolic compensation instead of full payment for a critical vulnerability.
In response to public criticism, Immunefi temporarily blocked Trust Security for 90 days for "misrepresenting the essence of the problem." The platform also warned of a possible permanent ban in case of a repeated violation.
"The reason for the suspension is an unethical, unscrupulous misrepresentation of the issue and damage to our reputation, which we believe goes far beyond criticism. Criticism is acceptable, but not in this form," said the representative of Immunefi.
Immunefi insists on the correct solution: "In this case, we agreed with the project because the problem was completely outside the testing perimeter according to our standard rules. The project has been generous in offering any reward at all."
Trust Security refused to accept the symbolic compensation, saying, "We would rather expose the fraud and warn hackers than have the extra thousands in our account."
Immunefi also told Cointelegraph that it does not consider Trust Security's finding to be a full-fledged vulnerability, as exploitation requires an unintended user action to grant infinite approval of a smart contract. "To execute the attack, the attacker will need to either wait for such endless approval or gain physical access to the user's private keys. In such a situation, anything is possible," the company explained.
Trust Security called for more transparency: "We are making the situation public because the suspicious, top-secret behavior we are seeing from projects and some vulnerability search platforms goes against Web3 ethics and the white hat hacker community."
Some members of the crypto community in X criticized Immunefi's decision to block Trust Security instead of a constructive dialogue.
Source
