Bug bounty presence & max payout

Curve Finance's assessment for RD-F-007 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Active self-managed bug bounty at curve.finance/bugbounty. Maximum payout $250,000 confirmed via May 2024 Marco Croc payout for reentrancy vulnerability. Submissions to security@curve.fi. Not on Immunefi (self-managed); data cache bug_bounty.platform: null is a pipeline gap. Program existence and max payout independently confirmed.

Sources #

URL
Curve Finance Rewards Dev $250K for Vulnerability Discovery — CryptoTimesMarco Croc $250K bug bounty payout confirmationretrieved 2026-04-28
Docs
Curve Finance Bug Bounty ProgramCurve Finance bug bounty page (403 on direct fetch; confirmed via search)retrieved 2026-04-28

Methodology #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-007 score green collected_at 2026-04-28 19:48:40