Disclosure channel exists

A response & disclosure hygiene factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records whether the protocol publishes a publicly accessible security disclosure channel — a dedicated security email address (security@domain), an Immunefi bug bounty page, an in-house disclosure program with documented submission instructions, or an equivalent mechanism that a security researcher could use to report a vulnerability. Measurement is programmatic via Immunefi API and web scrape of the protocol's documentation and security pages. Category 13 context: a disclosure channel is the baseline prerequisite for responsible vulnerability reporting; without one, security researchers have no legitimate path to report findings and may choose to exploit or publicly disclose instead.

**Why it matters** Among the protocols in the T-01 hack database without a bug bounty program — bEarn, Cashio, Badger, Atomic Wallet, Alpha Finance, Curio, Deus DAO 2, and 23 others — the absence of a disclosure channel meant that researchers discovering vulnerabilities had no incentive or mechanism to report them. The Elephant Money case is particularly instructive: Solidity Finance identified the flash-loan manipulation vulnerability during the audit but failed to communicate it — in part because there was no structured disclosure channel for the finding to be escalated through. Atomic Wallet ($100M, 2023) ignored a Least Authority security report in 2022 that described the vulnerability class — the absence of a functional disclosure process meant the finding was filed and forgotten.

**Green / Yellow / Red** Green is scored when the protocol publishes a functional security disclosure channel with clear submission instructions and a documented response commitment (Immunefi listing, security@ address with public acknowledgment SLA, or equivalent). Yellow applies when a disclosure mechanism exists but is informal or partially documented — for instance, a Discord DM instruction without a formal bug bounty program or documented response process. Red is scored when the protocol has no discoverable security disclosure channel and the curator's research finds no mechanism for a researcher to submit a vulnerability report.

**Common gray cases** Gray applies when a disclosure channel appears to exist based on documentation but the curator cannot verify whether it is actively monitored (e.g., a security email address with no confirmed recent responses).

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

Data & output #

Data source

Protocol docs security section + Immunefi API `/bounties` endpoint + protocol website footer

Output format

Green / Yellow / Red

Evidence artifact

Disclosure channel URL or Immunefi program slug

Confidence signal

green = public disclosure channel exists and is actively monitored (response evidence in last 12 months); yellow = disclosure channel exists but no evidence of active monitoring; red = no public disclosure channel; gray = protocol docs not publicly accessible

Scored protocols 80 carry this factor #

Protocol RD-F-175

Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance yellow Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum not_assessed Hyperlane ethereum yellow Hyperliquid arbitrum green Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum yellow M^0 ethereum red Maple Finance ethereum green Marinade Finance solana green Meteora solana red mETH Protocol ethereum yellow Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum gray OpenEden ethereum red Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum yellow Sanctum solana red Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar red Stake DAO ethereum red StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid red SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum yellow Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-175 category 13 carried 80 critical no