# Bug Bounty Program

## About tea

***tea***'s core mission is to enhance the sustainability and integrity of the software supply chain by allowing open-source developers to capture the value they create. This is accomplished by providing an ecosystem where code and crypto combine, opening pathways for open-source creators to be rewarded for their hard work and genius. By doing this, ***tea*** allows these creators to be adequately rewarded for their contributions, thereby reinforcing the robustness and credibility of the open-source software ecosystem.

With the ***tea*** Protocol, users will be able to earn rewards through the protocol's incentive algorithm that applies across every qualifying entry in the ***tea*** registry. These rewards will be proportional to their ecosystem-wide contributions. Project maintainers can track their contributions to the ecosystem through their project's teaRank which is determined through the Proof of Contribution consensus algorithm.

In the ***tea*** ecosystem, rewards are distributed through TEA, the ecosystem's digital token. Users can stake TEA to projects, which demonstrates their belief in the project's value and helps increase its reputation and visibility within the ecosystem. Staking TEA allows users to actively participate in the growth and development of the ***tea*** ecosystem, while also potentially earning rewards for their contributions.

With this incentivized system, we believe that open-source maintainers and contributors will be able to focus on adding value to the open-source software ecosystem while also being held accountable.

## Bug Bounty Program

### About the Bug Bounty Program

This bug bounty program applies solely to the [Systems in scope](#systems-in-scope) listed below. <mark style="color:red;">All bugs associated with projects registered with the</mark> <mark style="color:red;"></mark>*<mark style="color:red;">**tea**</mark>* <mark style="color:red;"></mark><mark style="color:red;">Protocol by the</mark> <mark style="color:red;"></mark>*<mark style="color:red;">**tea**</mark>* <mark style="color:red;"></mark><mark style="color:red;">Association must be reported using the mechanisms provided by the</mark> <mark style="color:red;"></mark>*<mark style="color:red;">**tea**</mark>* <mark style="color:red;"></mark><mark style="color:red;">Protocol.</mark> The ***tea*** Association may, at its sole discretion, extend the rewards of this bug bounty program to such vulnerabilities.

Additionally, this bug bounty program is focused on preventing the following impacts:

* Loss of TEA or stTEA tokens (herein referred to as “Assets”) by direct theft or permanent freezing outside of normal ***tea*** Protocol operations, including but not limited to slashing due to an ignored or accepted vulnerability report;
* Loss or temporary freezing of TEA tokens, or transfer outside of the agreed-upon protocol parameters from the undistributed teaRank rewards and staking rewards pools (herein referred to as “Pooled Assets”);
* Inability to interact with a ***tea*** Protocol smart contract;
* Protocol shutdown.

All activities related to this bug bounty program must comply with the ***tea*** Association’s [Vulnerability Disclosure Policy](/tea/i-want-to.../learn-about-the-incentivized-testnet-and-bug-bounties/vulnerability-disclosure-policy.md). <mark style="color:red;">As a reminder all testing MUST be done on private testnets. NO TESTING can be performed with mainnet or public testnet contracts.</mark>&#x20;

### Reporting Issues

To qualify, bugs must be reported in compliance with the ***tea*** Association’s [Vulnerability Disclosure Policy](/tea/i-want-to.../learn-about-the-incentivized-testnet-and-bug-bounties/vulnerability-disclosure-policy.md).

## Systems in scope

All systems and web properties of the ***tea*** Association, including:

* Website: <https://tea.xyz>
* ***tea*** Protocol dashboard: <https://app.tea.xyz>
* ***tea*** Protocol API endpoints
* ***tea*** Protocol **audited** smart contracts

All production code in the repositories of the following organization: <https://github.com/teaxyz>. For details, please refer to [Assets in Scope](#assets-in-scope).

## Out of scope

The following systems and properties are excluded from this Bug Bounty Program

* Assets or other equipment not owned by parties participating in this policy, including but not limited to attacks or problems on the Layer 1 and Layer 2 relied upon by the ***tea*** Protocol to deliver its functions;
* Sybil attacks;
* Attacks
  * that the reporter has already exploited themselves, leading to damage;
  * requiring access to leaked keys/credentials;
  * requiring access to privileged addresses (including, but not limited to governance);
* Incorrect data supplied by third parties;
* Issues already listed in the audits for the systems in scope;
* All code in the repositories of the following organization: <https://github.com/teaxyz> that is not active in production and was not audited;
* Vulnerabilities identified in projects registered with the ***tea*** Protocol by the ***tea*** Association. Such vulnerabilities must be reported using the mechanisms provided by the ***tea*** Protocol.

Please note that vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

## Threat Levels

The Bug Bounty program includes the following 4 threat levels. Rewards will be given based on the severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of the ***tea*** Association.

<table><thead><tr><th width="157">Level</th><th>Definition</th></tr></thead><tbody><tr><td>Critical</td><td><p>Issues that could impact a large number of users and have serious reputational, legal or financial implications. An example would be being able to permanently freeze Assets or take Assets from all Users or Pooled Assets which cannot be solved by an upgrade.</p><p>Examples:</p><ul><li>Loss of TEA or stTEA tokens (herein referred to as “Assets”) by direct theft or permanent freezing outside of normal <em><strong>tea</strong></em> Protocol operations;</li><li>Protocol shutdown.</li></ul></td></tr><tr><td>High</td><td><p>Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.</p><p>Examples:</p><ul><li>Temporary freezing of TEA tokens;</li><li>Inability to interact with a <em><strong>tea</strong></em> Protocol smart contract.</li></ul></td></tr><tr><td>Medium</td><td><p>The risk is relatively small and does not pose a threat to User Assets or Pooled Assets</p><p>Examples:</p><ul><li>Denial of service attacks targeting distinct users;</li><li>Griefing, e.g. no profit motive for an attacker, but damage to the users or the protocol.</li></ul></td></tr><tr><td>Low</td><td><p>The issue does not pose an immediate risk but is relevant to security best practices.</p><p>Example:</p><ul><li>Contract fails to deliver promised returns, but doesn't lose value.</li></ul></td></tr></tbody></table>

## Rewards by Threat Level

All bug reports must come with a PoC in order to be considered for a reward.

Critical bug reports are capped at 10% of economic damage, primarily considering the funds at risk, and taking into account branding and PR issues, at the discretion of the team. However, rewards for Critical bug reports have a minimum reward of USD 50,000.

Payouts are handled by the ***tea*** Association team directly and are denominated in USD. However, payouts are done in USDC.

| Level    | Payout             | Proof of Concept |
| -------- | ------------------ | ---------------- |
| Critical | Up to USD $100,000 | Required         |
| High     | Up to USD $20,000  | Required         |
| Medium   | Up to USD $5,000   | Required         |
| Low      | Up to USD $1,000   | Required         |

## Submission Requirements

To be considered for a reward, all reports must contain the following information:

* Suspected vulnerability category (XSS, SQL injection, etc.);
* Suspected vulnerability title;
* Detailed description of the suspected vulnerability;
* Severity rating (which may be updated by the ***tea*** Association at the ***tea*** Association’s sole discretion);
* *\[Optional] Impact and risk assessment;*
* *\[Optional] Affected environment;*
* Detailed steps to reproduce the issue;
* POC demonstrating the vulnerability, per table above;
* *\[Optional] A patch and/or suggestions to resolve the vulnerability;*
* Your name and/or others if you wish to be later recognized.

| ⚠️ ⚠️ REMINDER ⚠️ ⚠️                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <mark style="color:red;background-color:yellow;">All activities related to this bug bounty program must comply with the</mark> <mark style="color:red;background-color:yellow;"></mark>*<mark style="color:red;background-color:yellow;">**tea**</mark>* <mark style="color:red;background-color:yellow;"></mark><mark style="color:red;background-color:yellow;">Association’s</mark> [<mark style="color:red;background-color:yellow;">Vulnerability Disclosure Policy</mark>](/tea/i-want-to.../learn-about-the-incentivized-testnet-and-bug-bounties/vulnerability-disclosure-policy.md)<mark style="color:red;background-color:yellow;">. As a reminder all testing MUST be done on private testnets. NO TESTING can be performed with mainnet or public testnet contracts.</mark> |

## Assets in Scope

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tea.xyz/tea/i-want-to.../learn-about-the-incentivized-testnet-and-bug-bounties/bug-bounty-program.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.