For full security process refer to yearn-security repo.
The scope of the Bug Bounty program spans smart contracts utilized in the Yearn ecosystem – including but not limited to the main VaultV3.vy and VaultFactory.vy Vyper contracts in this repo, including historical deployments that still see active use associated with Yearn, and excluding any contracts used in a test-only capacity (including test-only deployments).
Note: Other contracts, outside of the ones mentioned above, might be considered on a case by case basis, please, reach out to the Yearn development team for clarification.