Disclosure channel exists

M^0's assessment for RD-F-175 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No dedicated security disclosure channel found for M^0 core Ethereum protocol ($325.5M TVS). Specific checks: (1) SECURITY.md absent — GitHub security tab shows 'No security policy detected' and 'No published security advisories'; (2) security@ email not published anywhere on m0.org, docs.m0.org, or research.m0.org; (3) security.txt at www.m0.org/.well-known/security.txt returns 404; (4) M^0 core Ethereum protocol NOT covered by any Immunefi program — the KAST Immunefi program covers 2 Solana extension contracts only; (5) Cantina portfolio page returns 404; (6) www.m0.org/contact-us provides generic contact form with no security-specific routing. Core attack surface ($325M) has no public vulnerability reporting path.

Sources #

GitHub
M^0 protocol GitHub security tab — no SECURITY.md, no advisoriesgithub.com/m0-foundation/protocol/security — shows 'No security policy detected' and 'No published security advisories'retrieved 2026-05-16
URL
Immunefi KAST Scope — Solana-only, no Ethereum coreImmunefi KAST scope page — 2 Solana assets in scope, M^0 Ethereum core not coveredretrieved 2026-05-16
URL
M^0 Contact Us page — generic form onlywww.m0.org/contact-us — generic contact form, no security-specific channelretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol m0 factor RD-F-175 score red collected_at 2026-05-16 09:46:19