Disclosure channel exists
Sanctum's assessment for RD-F-175 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No public security disclosure channel found. (1) No Immunefi bug bounty program: CertiK Skynet shows 'No third-party bounty program'; Immunefi search returned no sanctum.so listing; data cache bug_bounty.platform: null, bug_bounty.url: null. (2) No security.txt: https://sanctum.so/.well-known/security.txt returns 404. (3) No SECURITY.md: data cache security_md_present: false for sanctum-unstake-program; igneous-labs/S also has no SECURITY.md per GitHub. (4) No security@ or equivalent contact found in learn.sanctum.so/docs, learn.sanctum.so/legacy-docs, or sanctum.so website. This is a significant gap for a $1.37B protocol — no white-hat researcher has a sanctioned path to report a critical vulnerability.
Sources #
- Curator notesanctum.so does not publish a /.well-known/security.txt file (404). RFC 9116 security.txt absence is itself the finding for RD-F-175 (security disclosure channel exposure). No replacement URL is appropriate - the cited factor should be graded on absence-of-evidence, not pointed at a live URL. Grader to convert the citation into a 'no security.txt found at sanctum.so as of 2026-05-06' note. [dead-link, original: https://sanctum.so/.well-known/security.txt]retrieved 2026-05-06
- CertiK Skynet — Sanctum (no bug bounty)CertiK Skynet Sanctum page — explicitly shows 'No third-party bounty program'retrieved 2026-05-04
- igneous-labs/sanctum-unstake-program — no SECURITY.mdsanctum-unstake-program SECURITY.md — absent per data cache (security_md_present: false); no disclosure instructions in reporetrieved 2026-05-04
Methodology #
Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).
See the full factor methodology and distribution across all protocols →