defirisk.co
rubric v1.7.0

Disclosure SLA public

Convex Finance's assessment for RD-F-176 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Bug bounty page states researchers must allow 'a reasonable amount of time' before public disclosure. No specific acknowledgment time SLA is quantified. 'Reasonable time' is vague and not a public SLA. No 72-hour or equivalent acknowledgment commitment. Only one significant prior disclosure (Dec 2021, mediated by Immunefi with no defined SLA window). Scored red: no quantified SLA published.

Sources #

  • Docs
    Bug Bounties — Convex Finance DocsConvex Finance bug bounty page — disclosure policy states 'reasonable amount of time' with no specific SLA quantificationretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-176 score red collected_at 2026-05-16 02:41:28