For full security process refer to yearn-security repo.

The scope of the Bug Bounty program spans smart contracts utilized in the Yearn ecosystem – including but not limited to the TokenizedStrategy.sol and BaseStrategy.sol contracts in this repo, including historical deployments that still see active use associated with Yearn, and excluding any contracts used in a test-only capacity (including test-only deployments).

Note: Other contracts, outside of the ones mentioned above, might be considered on a case by case basis, please, reach out to the Yearn development team for clarification.