Bug bounty presence & max payout

Chainlink CCIP's assessment for RD-F-007 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Active Immunefi program with $3M maximum payout for critical smart contract vulnerabilities. 25 assets in scope including CCIP. Program updated 2026-05-05. HackerOne program also active. Clearly above $500K threshold for green.

Sources #

URL
Chainlink Bug Bounty Program — Immunefi ($3M max, updated 2026-05-05)Immunefi Chainlink bug bounty programretrieved 2026-05-16
GitHub
smartcontractkit/chainlink Security — HackerOne programChainlink HackerOne security program linkretrieved 2026-05-16

Methodology #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-007 score green collected_at 2026-05-16 01:55:09