Disclosure SLA public

A response & disclosure hygiene factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor records whether the protocol publishes an acknowledgment-time service level agreement for disclosed vulnerabilities — for example, a commitment to acknowledge security reports within 72 hours, triage within seven days, and patch within 90 days. Measurement is manual curator review of the protocol's security disclosure documentation, bug bounty program terms, and any published responsible-disclosure policy. Category 13 context: a published SLA transforms an informal disclosure process into a contractual commitment, creating accountability for timely response and reducing the window between discovery and exploitation.

**Why it matters** The absence of a disclosure SLA is documented across multiple dataset incidents where known vulnerabilities were reported but not acted upon. Atomic Wallet ($100M, 2023) received a Least Authority security report in 2022 and failed to act — a public SLA would have created a documented timeline for mandatory response. Mango Markets ($115M, 2022) had a Discord warning in March 2022 referencing the exact vulnerability class; without a disclosure SLA, the warning disappeared without a response commitment. Sonne Finance ($20M, 2024) had a yAudit finding flagging the Compound V2 donation risk but the governance execution gap was not addressed within any defined timeframe. A published SLA does not prevent exploitation but creates a measurable standard against which team responsiveness can be assessed.

**Green / Yellow / Red** Green is scored when the protocol publishes a clear acknowledgment SLA of 72 hours or shorter, with a defined triage window and a maximum response timeline. Yellow applies when a partial SLA exists — for instance, the bug bounty program defines payment terms but not acknowledgment timelines. Red is scored when the protocol has an Immunefi program or equivalent but no acknowledgment SLA is published, or when the documented response history shows SLA violations on prior reports.

**Common gray cases** Gray applies when the protocol operates a private disclosure process and SLA terms are communicated only to submitters after first contact, making public verification impossible.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

Data & output #

Data source

Protocol security docs + Immunefi program description

Output format

Green / Yellow / Red

Evidence artifact

SLA text URL + acknowledgment time stated

Confidence signal

green = SLA ≤72h acknowledgment publicly stated and honored in prior instances; yellow = SLA stated but not tested or >72h; red = no SLA published; gray = no disclosure channel exists (see F175)

Scored protocols 80 carry this factor #

Protocol RD-F-176

Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base red Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum red Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance red Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum red crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum red Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum red Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana red JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid yellow Lido ethereum yellow Liquid Collective (LsETH) ethereum yellow Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc red Lombard Finance ethereum red M^0 ethereum red Maple Finance ethereum yellow Marinade Finance solana red Meteora solana red mETH Protocol ethereum red Midas ethereum red Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum red Ondo Finance ethereum gray OpenEden ethereum red Orca solana yellow PancakeSwap bsc red Pendle Finance ethereum red Polymarket polygon red QuickSwap polygon red Raydium solana green Rocket Pool ethereum red Sanctum solana red Save (formerly Solend) solana red Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum red Spiko stellar red Stake DAO ethereum red StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid red SUNSwap (sun.io) tron red Superstate ethereum red Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum yellow Venus Protocol bsc red Wormhole ethereum gray Yearn Finance ethereum yellow

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-176 category 13 carried 80 critical no