Bug bounty presence & max payout

crvUSD (Curve Stablecoin)'s assessment for RD-F-007 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve operates a HackerOne bug bounty (https://hackerone.com/curve) and self-hosted program (curve.finance/bugbounty). Maximum payout: $250,000 CRV (confirmed by on-chain governance vote for f(x) Protocol discovery). No Immunefi listing. The $250K CRV payout is denominated in CRV, not fixed USD; at current prices may be near $250K USD but uncertain. HackerOne page did not render scope details confirming crvUSD Controller/AMM contracts explicitly in scope, though the paid bounty involved a bug routed through LLAMMA crvUSD/WETH. Threshold: green = active program max payout ≥$500K USD. Marking yellow (payout in CRV not USD-fixed; scope not fully confirmable).

Sources #

Governance
Pay $250k Bug Bounty to f(x) Protocol — Curve Governance ForumCurve governance vote — Pay $250K CRV bug bounty to f(x) Protocol for Swap Router bug involving LLAMMA crvUSD/WETHretrieved 2026-05-16
URL
Curve Bug Bounty Program — HackerOneCurve HackerOne program pageretrieved 2026-05-16

Methodology #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-007 score yellow collected_at 2026-05-16 19:09:40