Bug bounty presence & max payout

Convex Finance's assessment for RD-F-007 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No standing Immunefi or equivalent bug bounty program found for Convex Finance. Data cache confirms bug_bounty.platform: null. Immunefi was used as a disclosure intermediary for the 2021 OZ vulnerability but no formal program was ever registered. The vlCVX v1 bug bounty paid ad hoc from treasury with no formal program. No Convex listing found on Immunefi as of 2026-05-16.

Sources #

Docs
Convex Finance FAQ (no bug bounty section)Convex protocol FAQ - no bug bounty mentionedretrieved 2026-05-16
URL
Convex Finance: Vote-Locked CVX Contract Migration (no formal bounty program)vlCVX migration blog: ad hoc bounty payment mentionedretrieved 2026-05-16

Methodology #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-007 score red collected_at 2026-05-16 02:41:28