Bug bounty scope gap on highest-TVL contracts
Superstate's assessment for RD-F-183 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No Immunefi bug bounty program exists for Superstate (confirmed 404). Per factor definition: gray when no bug bounty program exists (see RD-F-007). The highest-TVL contracts (USTB Proxy $1.005B on Ethereum) are entirely outside any formal bounty scope because no bounty scope exists.
Sources #
- DocsSuperstate security disclosure policySuperstate docs: responsible disclosure only, no compensation expected, security@superstate.coretrieved 2026-05-16
- Immunefi Superstate bug bounty (404 - no program)Immunefi 404 for Superstate confirming no bounty program under which scope could be assessedretrieved 2026-05-16
Methodology #
Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol superstate factor RD-F-183 score gray collected_at 2026-05-16 00:06:37