Bug bounty presence & max payout
Superstate's assessment for RD-F-007 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No Immunefi bug bounty program exists (404 on immunefi.com/bug-bounty/superstate). The Superstate security disclosure policy at docs.superstate.com explicitly states: 'Researchers should not expect compensation for discovering vulnerabilities.' No formal max-payout cap, no bounty scope published. Responsible disclosure only via security@superstate.co with no SLA.
Sources #
- DocsSuperstate documentation security disclosure policySuperstate security disclosure policy: no compensation expected, disclosure via security@superstate.coretrieved 2026-05-16
- Immunefi Superstate (404 - no program)Immunefi returned 404 for Superstate bug bounty program confirming no active programretrieved 2026-05-16
Methodology #
Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol superstate factor RD-F-007 score red collected_at 2026-05-16 00:06:37