defirisk.co
rubric v1.7.0

Disclosure SLA public

Wormhole's assessment for RD-F-176 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

- Finding: PARTIAL. The SECURITY.md delegates policy to Immunefi — no self-published acknowledgment SLA is present in the SECURITY.md itself. A secondary-source reference to "resolving critical issues within ten business days of disclosure" exists (sourced from web search describing Wormhole's Immunefi program terms). This SLA is Immunefi-platform-enforced, not self-declared by Wormhole. A 10-business-day resolution SLA for critical bugs on a $300M/day-throughput protocol is very long. No pub...

Sources #

  • Curator note
    Extracted from 05-ops-history.md — RD-F-176; no URL cited in originalretrieved 2026-04-28

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-176 score gray collected_at 2026-04-28 01:38:43