Disclosure channel exists

crvUSD (Curve Stablecoin)'s assessment for RD-F-175 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve Finance maintains two active public disclosure channels: (1) HackerOne program at https://hackerone.com/curve — scope: smart contract vulnerabilities causing substantial loss of money, critical liveness failures, or irreversible fund loss; excludes known vulnerabilities and front-end code not leading to smart contract impact. (2) Self-hosted security docs at https://docs.curve.finance/security/security/ (returned HTTP 403 during assessment but existence confirmed via web search and news coverage). Max payout $250,000 in CRV confirmed by two paid precedents: Marco Croc / Kupia Security reentrancy vulnerability (2024); f(x) Protocol swap router bug governance proposal (May 2024, max bounty size confirmed). NOT Immunefi — data cache bug_bounty.platform=null is a pipeline artifact (Immunefi-only scraper). Self-hosted + HackerOne is a positive program configuration, not an absence of a bounty. Green.

Sources #

URL
Curve Finance Rewards Dev $250K for Vulnerability DiscoveryCryptoTimes: Curve Finance Rewards Dev $250K — Marco Croc reentrancy bounty (2024)retrieved 2026-05-16
URL
Pay $250k Bug Bounty to f(x) Protocol — Curve Governance ForumCurve governance proposal to pay f(x) Protocol $250K CRV bounty — confirms $250K max payoutretrieved 2026-05-16
URL
Curve — Bug Bounty Program | HackerOneCurve HackerOne bug bounty program — primary disclosure channelretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-175 score green collected_at 2026-05-16 19:09:40