Disclosure SLA public

Chainlink CCIP's assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No explicit acknowledgment-time SLA (e.g., 72-hour acknowledgment, 30-day remediation window) is published on the Immunefi program page or in Chainlink's security documentation. The Immunefi Approval Required category implies an embargo period (researchers must coordinate before public disclosure), but no specific timeline is stated. Chainlink does not publish a separate responsible disclosure policy document with stated SLA. Immunefi's platform norms provide implicit triage SLA, but this is platform-level rather than a Chainlink-published commitment. HackerOne program policy may contain a written SLA but was not confirmed from public-facing pages. Scored yellow: disclosure channel exists (green F175) but specific SLA is unpublished.

Sources #

URL
Chainlink Bug Bounties | ImmunefiImmunefi Chainlink program page reviewed - no specific SLA published; Category 3 Approval Required classification notedretrieved 2026-05-16
URL
CCIP Service Responsibility - Shared Accountability ModelCCIP service responsibility documentation reviewed - no disclosure SLA or responsible disclosure policy foundretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-176 score yellow collected_at 2026-05-16 01:55:09