Disclosure channel exists

Circle USYC's assessment for RD-F-175 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Disclosure channel exists: Circle HackerOne BBP (https://hackerone.com/circle-bbp) and security@circle.com general security email. However, scope documentation does not explicitly confirm USYC on-chain smart contracts are in scope. The April 2026 Arc BBP ($5,000 critical cap) attracted backlash and is a distinct program. No USYC-specific SIRT page or Immunefi program exists (data cache bug_bounty.platform: null). RWA adjudication per PD-042: yellow reflects scope ambiguity, not DeFi-norm non-compliance. Channel exists but applicability to USYC contract reports is unconfirmed from public documentation.

Sources #

URL
Circle Developer Docs -- USYC OverviewCircle developer docs -- security contact listed as customer-support@circle.com for inquiries; no USYC-specific SIRTretrieved 2026-05-16
URL
Circle BBP -- HackerOneCircle Bug Bounty Program on HackerOne -- exists but USYC smart contract scope not confirmedretrieved 2026-05-16
URL
Circle Arc BBP $5,000 Cap Backlash -- CoinEdition April 2026Circle Arc BBP $5,000 cap backlash -- April 2026 coverage confirms BBP existence but low payout ceiling and no USYC scoperetrieved 2026-05-16

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol circle-usyc factor RD-F-175 score yellow collected_at 2026-05-15 21:56:43