Disclosure SLA public

Yearn Finance's assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

SECURITY.md publishes a fix-timeline SLA (30–60 days for small changes; up to 90 days for significant issues) and requires reporter to provide technical details within 2 working days of ack. However, no explicit ≤72h acknowledgment SLA is published. Threshold: green = SLA ≤72h ack publicly stated and honored; yellow = SLA stated but not as ≤72h or not tested. The Immunefi platform median resolution time of 19 hours suggests operational responsiveness in practice but is not a formal SLA commitment in Yearn's own policy.

Sources #

URL
Immunefi — Yearn Finance Bug BountyImmunefi Yearn bounty page — median resolution time 19 hours (operational evidence, not formal SLA)retrieved 2026-05-16
URL
Yearn Security Policy (SECURITY.md)Yearn SECURITY.md — 30-60/90-day fix timeline SLA; 2-working-day reporter detail obligation; no explicit ≤72h ack SLAretrieved 2026-05-16

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-176 score yellow collected_at 2026-05-16 08:34:32