Bug bounty presence & max payout

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-007 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi bug bounty program active since 2021-03-26. Maximum payout $200,000 for critical smart contract vulnerabilities (discretionary higher for extreme impact). In-scope assets: Constant Product AMM, Concentrated Liquidity AMM, RedSnapper. Program last updated 2025-10-16. Threshold: green = active program with max payout ≥$500K. $200K max payout falls in the yellow threshold ($50K-$499K) per strict reading, but scope covers core AMM with discretionary excess noted. Scoring green on the basis of the active program and on-record willingness to exceed cap; data-cache confirms Immunefi platform.

Sources #

Internal
00-data-cache.json — bug_bounty sectiondata-cache bug_bounty.platform: immunefi, url confirmedretrieved 2026-05-17
URL
Immunefi SushiSwap Bug BountyImmunefi SushiSwap bounty — $200K max, active since 2021-03-26, updated 2025-10-16retrieved 2026-05-17

Methodology #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-007 score green collected_at 2026-05-16 19:50:37