Disclosure channel exists

Stake DAO's assessment for RD-F-175 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public security disclosure channel found. The /bug-bounty URL (https://www.stakedao.org/bug-bounty) returns HTTP 404 as of 2026-05-16. No Immunefi program (data cache: platform=null, url=null; Immunefi URL returns 404). No SECURITY.md in contracts-monorepo (security_md_present=false per data cache). No security@ email in docs, GitHub, or public communications. No security contact page. Docs reference a bug-bounty link internally but the destination does not exist. Discord and GitHub Issues are not formally configured as monitored disclosure channels. Red: no public disclosure channel for a $160M TVL live DeFi protocol with 64 months operational history.

Sources #

GitHub
stake-dao/contracts-monorepo — security_md_present: false per data cache pipelinehttps://github.com/stake-dao/contracts-monoreporetrieved 2026-05-16
Docs
Stake DAO docs/audits — references /bug-bounty link internally; /bug-bounty destination returns 404https://docs.stakedao.org/auditsretrieved 2026-05-16
URL
Immunefi Stake DAO — 404, no program foundhttps://immunefi.com/bug-bounty/stakedao/retrieved 2026-05-16

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-175 score red collected_at 2026-05-16 12:29:20