Disclosure channel exists

Yearn Finance's assessment for RD-F-175 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Multiple active disclosure channels exist: (1) Immunefi program 'yearnfinance' at immunefi.com/bug-bounty/yearnfinance/ — 41 assets in scope, $200K max payout, median resolution 19 hours per Immunefi display; (2) Sherlock bug bounty listing at audits.sherlock.xyz/bug-bounties/30; (3) Direct PGP contacts via SECURITY.md (Tapir: yvtapir@gmail.com, Spalen: spalen@proton.me); (4) security@yearn.finance email. Immunefi median resolution of 19 hours evidences active monitoring.

Sources #

URL
Yearn Security Policy (SECURITY.md)Yearn SECURITY.md — PGP contacts, email, disclosure processretrieved 2026-05-16
URL
Immunefi — Yearn Finance Bug BountyImmunefi Yearn Finance bug bounty program — active, 41 assets in scope, $200K max payoutretrieved 2026-05-16
URL
Sherlock — Yearn Finance Bug BountySherlock Yearn Finance bug bounty listingretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-175 score green collected_at 2026-05-16 08:34:32