Disclosure SLA public

Veda (BoringVault)'s assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program applies 'Category 2: Notice Required' for responsible publication — this governs researcher public disclosure timing, not the team's acknowledgment-time SLA. No explicit acknowledgment-time SLA (e.g., '72h acknowledge') is published in the Immunefi program page, Veda docs (docs.veda.tech), or veda.tech. No SECURITY.md in the repo (data cache security_md_present=false). The absence of a stated response SLA means researchers have no formal guarantee of timely acknowledgment. Yellow: disclosure channel exists but no acknowledgment SLA is published.

Sources #

URL
Veda Docs — Smart Contract SecurityVeda docs smart-contract-security — no disclosure SLA foundretrieved 2026-05-17
URL
Immunefi — Veda Bug Bounty (no SLA found)Immunefi Veda program — 'Category 2: Notice Required' for responsible publication; no acknowledgment SLA statedretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-176 score yellow collected_at 2026-05-17 12:41:22