Disclosure channel exists

Hyperlane's assessment for RD-F-175 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi bug bounty program exists (live since 2023-01-10; $2.5M max payout; 222 assets in scope). However no SECURITY.md exists in the monorepo, no security contact email is published on docs.hyperlane.xyz, and the April 2026 critical disclosure (issue #8589) demonstrates that researchers cannot easily find the disclosure channel — the reporter posted to public GitHub issues because they could not find a secure channel. Yellow: channel exists but not adequately signposted.

Sources #

URL
Hyperlane Bug Bounties — ImmunefiImmunefi Hyperlane bug bounty — live since 2023-01-10, $2.5M max, 222 assets in scoperetrieved 2026-05-17
GitHub
GitHub Issue #8589 — Critical vulnerability disclosure April 2026Issue #8589: reporter could not find SECURITY.md, security email, or GitHub private vulnerability reportingretrieved 2026-05-17
GitHub
Hyperlane Monorepo Security Overview — GitHubhyperlane-monorepo security overview: 'This project has not set up a SECURITY.md file yet.'retrieved 2026-05-17

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-175 score yellow collected_at 2026-05-16 23:03:56