Disclosure SLA public

Uniswap (v2 + v3)'s assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No acknowledgment-time SLA published by Uniswap Labs in Cantina program description, v3-core bug-bounty.md, or bug-bounty update blog. 24-hour window in bug-bounty.md is a researcher obligation, not a team response SLA. Practical response quality is good but no formal commitment exists. V2: yellow. V3: yellow. Combined: yellow.

Detail #

Checked: Cantina bounty page (https://cantina.xyz/bounties/f9df94db-c7b1-434b-bb06-d1360abdd1be) — no acknowledgment SLA stated. v3-core bug-bounty.md (https://github.com/Uniswap/v3-core/blob/main/bug-bounty.md) — the 24-hour window cited is the researcher's obligation to disclose within 24h of discovery, not a team acknowledgment commitment. Bug bounty update blog (https://blog.uniswap.org/uniswap-labs-bug-bounty-update) — no SLA stated. Cantina platform implies standard triage norms but Uniswap has not formally committed to a specific acknowledgment timeline. The Dedaub case (Universal Router, 2022) demonstrated fast practical response (fix deployed before launch), but no formal SLA was committed. Methodology: yellow = no SLA published. Score: yellow.

Sources #

GitHub
Uniswap V3 Core Bug Bounty Programv3-core bug-bounty.md — no ack SLA stated; 24h is researcher obligationretrieved 2026-05-12
URL
Uniswap Labs Bug Bounty UpdateBug bounty update blog — no ack SLA statedretrieved 2026-05-12
URL
Cantina: Uniswap Labs Bug BountyCantina bounty page — no ack SLA statedretrieved 2026-05-12

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-176 score yellow collected_at 2026-05-12 10:36:11