defirisk.co
rubric v1.7.0

Disclosure channel exists

Superstate's assessment for RD-F-175 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

A security-disclosure contact exists at security@superstate.co per official documentation. However, no formal bug-bounty program on Immunefi or equivalent platform is active. The disclosure channel is email-only — no structured intake, no formal scope, no triage team name. For a $1.11B TVL protocol, email-only disclosure without a platform-hosted program is below peer norms. Yellow per RWA-peer precedent (circle-usyc, spiko). A disclosure path exists, but lacks formalization. Safe-harbor clause present (CFAA/DMCA protections per docs).

Sources #

  • Internal
    Superstate Protocol Profile §900-profile.md §9 — No Immunefi or Cantina program found; security@superstate.co is the only disclosure channelretrieved 2026-05-16
  • Docs
    Superstate Security Documentationdocs.superstate.com security section — security@superstate.co contact; no bounty program mentioned; safe-harbor CFAA/DMCA protection statedretrieved 2026-05-16
  • Internal
    Superstate Data Cache00-data-cache.json — immunefi.program_exists = falseretrieved 2026-05-15

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol superstate factor RD-F-175 score yellow collected_at 2026-05-16 00:06:37