Disclosure SLA public

Centrifuge's assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

72-hour acknowledgement SLA is publicly stated per centrifuge.io/security. However: (a) Cantina bounty program does not state a specific Centrifuge SLA — it says researchers should report within 24 hours which is a researcher SLA, not a team-response SLA; (b) no evidence found of SLA being honored or tested in a documented public case; (c) legacy bounty SLA ($50K DAI max) is not aligned with current Cantina $250K program.

Sources #

URL
https://cantina.xyz/bounties/6cc9d51a-ac1e-4385-a88a-a3924e40c00eretrieved 2026-04-27
URL
https://centrifuge.io/securityretrieved 2026-04-27

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol centrifuge factor RD-F-176 score yellow collected_at 2026-04-30 21:19:10