Disclosure SLA public

Multipli's assessment for RD-F-176 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public acknowledgment-time SLA found for disclosed vulnerabilities. HackenProof program page requires submitters to provide PoC within 24h of discovery (submitter obligation) but no response or acknowledgment SLA from Multipli team is published. No SECURITY.md exists in the public GitHub repo (data cache: security_md_present: false; confirmed via GitHub repo analysis). No safe-harbor clause found. No disclosure policy page found.

Sources #

Internal
Data cache — github.security_md_present = false.research/protocols/multipli/00-data-cache.json → sources.github.security_md_present = falseretrieved 2026-05-17
GitHub
Multipli GitHub repo — no SECURITY.md presenthttps://github.com/multipli-libs/Barebones-MultipliVaultretrieved 2026-05-17
URL
HackenProof — Multipli Smart Contracts bug bounty (max $10K, started 2026-02-24)https://hackenproof.com/programs/multipli-smart-contractsretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-176 score red collected_at 2026-05-17 11:48:35