Disclosure SLA public

Sanctum's assessment for RD-F-176 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No acknowledgment-time SLA published. No disclosure channel exists (F175 red), so no SLA can be attached to any channel. No Immunefi program to embed an SLA, no SECURITY.md with response timeline, no docs security page with a committed acknowledgment window. Scored red (not gray) because the absence of both channel and SLA represents compounding disclosure hygiene failures, not simply a downstream consequence of a single gap. Red = no SLA published.

Sources #

Docs
Sanctum Docs — no disclosure SLA foundlearn.sanctum.so/docs and learn.sanctum.so/legacy-docs/security — no security@ contact, no disclosure SLA, no response timeline publishedretrieved 2026-05-04
URL
CertiK Skynet — Sanctum (no SLA)CertiK Skynet — no bug bounty program; Immunefi has no Sanctum program page; no SLA timeline findableretrieved 2026-05-04

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sanctum factor RD-F-176 score red collected_at 2026-05-04 18:49:23