Disclosure channel exists
Chainlink CCIP's assessment for RD-F-175 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Chainlink operates dual public security disclosure channels: (1) Immunefi bug bounty program at $3M maximum critical payout - CCIP OCR Execute Plugin, CCIP OCR Commit Plugin, CCIP EVM, and CCIP Solana are explicitly listed as in-scope assets among 25 total in-scope assets; (2) HackerOne program linked from GitHub security tab covering node software and smart contracts. Immunefi program active since May 2021 expansion. Over $500K in payouts across 75+ resolved reports to 50+ researchers confirmed. Critical impact category includes RMN onchain curse bypass, directly relevant to CCIP. KYC required; PoC required; triaged by Immunefi.
Sources #
- URLChainlink Bug Bounties - Scope | ImmunefiImmunefi Chainlink bug bounty scope page confirming CCIP OCR Execute Plugin, CCIP OCR Commit Plugin, CCIP EVM, CCIP Solana as named in-scope assets; $3M max critical payout; 25 total assetsretrieved 2026-05-16
- Chainlink Bug Bounties | ImmunefiChainlink bug bounty main program page on Immunefi; $3M maximum payout for critical smart contract vulnerabilitiesretrieved 2026-05-16
- Chainlink GitHub Security PolicyHackerOne program linked from Chainlink GitHub security tab covering node software and smart contract vulnerabilitiesretrieved 2026-05-16
Methodology #
Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).
See the full factor methodology and distribution across all protocols →