Disclosure SLA public

crvUSD (Curve Stablecoin)'s assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No publicly accessible acknowledgment-time SLA (e.g., '72h ack') found for the Curve bug bounty program. HackerOne policy text states researchers must disclose 'as soon as possible' and Curve will have 'a reasonable amount of time to resolve' — qualitative, not a published SLA. The docs.curve.finance/security/security/ page returned HTTP 403 during this assessment, preventing verification of any SLA language there. Two paid $250K bounties demonstrate active program engagement and rapid response in practice, but the rubric requires a *published* SLA. Yellow: no documented SLA found despite an active and well-funded program.

Sources #

URL
Curve — Bug Bounty Program Policy | HackerOneHackerOne Curve program — policy states 'reasonable time' without specific SLA windowretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-176 score yellow collected_at 2026-05-16 19:09:40