Disclosure SLA public

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No formal acknowledgment-time SLA published by SushiSwap. Immunefi program shows a median resolution time of approximately 1 week — this is an observed median, not a published SLA commitment. The v3-core/bug-bounty.md is a Uniswap V3 policy copy directing reports to security@uniswap.org, not a Sushi-operated SLA. No Sushi-authored 'acknowledge within 72/96 hours' or equivalent SLA found in docs or Immunefi program text. Channel exists (F175 green) but no published SLA prevents green here.

Sources #

URL
SushiSwap Bug Bounties — information page (Immunefi)Immunefi SushiSwap program information — median resolution ~1 week (not a published SLA)retrieved 2026-05-17
GitHub
v3-core/bug-bounty.md (sushiswap GitHub)sushiswap/v3-core/bug-bounty.md — Uniswap V3 policy copy directing to security@uniswap.orgretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-176 score yellow collected_at 2026-05-16 19:50:37