Disclosure SLA public

Cap (cUSD / stcUSD)'s assessment for RD-F-176 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public acknowledgment-time SLA published. The Sherlock bug bounty page (https://audits.sherlock.xyz/bug-bounties/114) does not include a protocol-published acknowledgment SLA. Cap docs (docs.cap.app) contain no disclosure SLA. No security policy page found on cap.app or GitHub. Red per methodology: 'no SLA published -> red'. Note: Sherlock platform sets internal triage norms, but those are not a protocol-published SLA commitment.

Sources #

URL
Cap Bug Bounty — SherlockCap bug bounty page — no SLA publishedretrieved 2026-05-17
URL
Cap Security ResourcesCap documentation — no security SLA foundretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-176 score red collected_at 2026-05-17 10:56:24