Bug bounty scope gap on highest-TVL contracts
Jupiter Perpetual Exchange's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Jupiter announced a bug bounty program in collaboration with Meteora AG (X post 2025). Program hosted at security.raccoons.dev (redirects to ooosec.com/programs/jupiter). Immunefi API returns null for Jupiter. OOOSEC page returned HTTP 403 — scope details not publicly accessible. Whether the perps program PERPHjGBqRHArX4DySjwM6UJHiR3sWAatqfdBS2qQJu ($691M TVS) is explicitly in scope cannot be verified from public information. Program exists but scope is ambiguous and highest-TVL contract inclusion unverifiable.
Sources #
- Internal00-data-cache.json bug_bounty fieldsData cache bug_bounty.platform: null, bug_bounty.max_payout_usd: null — Immunefi returned no Jupiter listingretrieved 2026-05-16
- Jupiter bug bounty announcementJupiter bug bounty announcement on X — collaboration with Meteora AG, full details at security.raccoons.devretrieved 2026-05-16
Methodology #
Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.
See the full factor methodology and distribution across all protocols →