Disclosure SLA public

Concrete's assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public acknowledgment-time SLA found on the Cantina program page or in Concrete's documentation. The program requires researchers to report within 24 hours of discovery (researcher obligation), but no team response SLA (e.g., '72h ack') is stated. Cantina's managed model implies structured triage, but no committed response window is disclosed. Yellow: channel exists, SLA absent.

Sources #

URL
Concrete Bug Bounty — Cantina (SLA section absent)Cantina bug bounty program page — no SLA field present; disclosure terms cover researcher obligations onlyretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-176 score yellow collected_at 2026-05-17 14:36:59