Prior known-ignored disclosure

Chainlink CCIP's assessment for RD-F-177 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence of a security disclosure being ignored prior to exploitation for CCIP. No incidents have occurred (F077 = zero exploits), making this based on absence of negative evidence. Additionally, Chainlink's published bug bounty history demonstrates good-faith response: $500K+ in payouts across 75+ resolved reports; a confirmed $300K payout for a critical Chainlink VRF vulnerability (top-10 Immunefi payout). Chainlink is stated to only accept vulnerability reports via Immunefi and HackerOne, indicating a structured triage process. No post-mortem, CVE, or community report documents a pre-exploit disclosure being ignored.

Sources #

URL
Supporting the Smart Contract Vulnerability Research CommunityChainlink security research case study confirming $500K+ in payouts across 75+ resolved reports demonstrating active bounty program responseretrieved 2026-05-16
URL
https://cryptoslate.com/chainlink-vrf-vulnerability-thwarted-by-white-hat-hackers-with-300k-reward/retrieved 2026-05-16

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-177 score green collected_at 2026-05-16 01:55:09