defirisk.co
rubric v1.7.0

Disclosure channel exists

Convex Finance's assessment for RD-F-175 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Self-hosted bug bounty page exists at docs.convexfinance.com/convexfinance/faq/bug-bounties with contact email contact@convexfinance.com. Max payout $250,000. No Immunefi listing (data cache: bug_bounty.platform null). No SECURITY.md in GitHub repo (data cache: security_md_present false). The Dec 2021 OZ disclosure used Immunefi as a one-off intermediary but there is no standing program. Channel exists but no evidence of active monitoring SLA or recent response. Scored yellow: channel present but no Immunefi backing, no standing program with verified response cadence.

Sources #

  • Internal
    Convex Finance Data Cache — Bug Bounty and SECURITY.md fields00-data-cache.json: bug_bounty.platform null, bug_bounty.url null, security_md_present falseretrieved 2026-05-16
  • Docs
    Bug Bounties — Convex Finance DocsConvex Finance bug bounty page confirming contact@convexfinance.com, $250K max payout, self-hosted program scoperetrieved 2026-05-16

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol convex-finance factor RD-F-175 score yellow collected_at 2026-05-16 02:41:28