Disclosure channel exists

Cap (cUSD / stcUSD)'s assessment for RD-F-175 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Active Sherlock bug bounty exists at https://audits.sherlock.xyz/bug-bounties/114 (live since 2025-10-24, max $1M USDC) — this constitutes a public disclosure channel. However, no SECURITY.md on GitHub (data cache github.security_md_present: false), no published SIRT email, and no security.txt or dedicated security page on docs.cap.app. No evidence of prior submissions or active monitoring beyond Sherlock's platform-standard triage found (protocol is 9 months old with 0 incidents). Yellow: channel exists but active-monitoring evidence is absent.

Sources #

URL
Cap Bug Bounty — SherlockSherlock bug bounty for Cap — live since 2025-10-24, max $1M USDCretrieved 2026-05-17
GitHub
Cap Contracts GitHub repositorycap-labs-dev/cap-contracts — no SECURITY.md presentretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-175 score yellow collected_at 2026-05-17 10:56:24