Disclosure SLA public

Pendle Finance's assessment for RD-F-176 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No acknowledgment-time SLA published on either Immunefi or Cantina program pages. Cantina page specifies disclosure process requirements (no public disclosure without team consent, local fork testing only, PoC required) but states no SLA. Pendle security docs page (docs.pendle.finance/pendle-v2/Security) contains only audit list with no SLA. SECURITY.md absent from GitHub repo (data cache security_md_present: false). Red: no SLA published.

Sources #

URL
Cantina — Pendle Finance Bug Bounty (no SLA field)Cantina Pendle bounty — no acknowledgment SLA statedretrieved 2026-04-29
Docs
Pendle Documentation — Security pagePendle security docs — audit list only, no SLAretrieved 2026-04-29
GitHub
Pendle core V2 public repo — no SECURITY.mdSECURITY.md absent from pendle-core-v2-public (security_md_present: false per data cache)retrieved 2026-04-29

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pendle factor RD-F-176 score red collected_at 2026-04-28 21:09:40