Sherlock only offers bug bounty coverage. But every bug bounty coverage policy includes an equal amount of exploit coverage. If a protocol team signs up for $500k of bug bounty coverage, a $500k exploit coverage policy will be automatically included. This is to ensure that Sherlock isn't incentivized to hope protocols get exploited on mainnet instead of paying out a bug bounty. Sherlock requires 1 month's worth of upfront payment before coverage can be activated. From there, it's up to the protocol team in terms of paying bi-weekly, monthly etc. All Sherlock monitors is that the balance of payment does not reach zero. If it reaches zero (technically if it reaches 500 USDC) a protocol will be auto-removed from coverage by an arb bot.

A protocol team can manage payments directly using the protocol payment portal.