Bug Bounty Program

About tea

tea's core mission is to enhance the sustainability and integrity of the software supply chain by allowing open-source developers to capture the value they create. This is accomplished by providing an ecosystem where code and crypto combine, opening pathways for open-source creators to be rewarded for their hard work and genius. By doing this, tea allows these creators to be adequately rewarded for their contributions, thereby reinforcing the robustness and credibility of the open-source software ecosystem.

With the tea Protocol, users will be able to earn rewards through the protocol's incentive algorithm that applies across every qualifying entry in the tea registry. These rewards will be proportional to their ecosystem-wide contributions. Project maintainers can track their contributions to the ecosystem through their project's teaRank which is determined through the Proof of Contribution consensus algorithm.

In the tea ecosystem, rewards are distributed through TEA, the ecosystem's digital token. Users can stake TEA to projects, which demonstrates their belief in the project's value and helps increase its reputation and visibility within the ecosystem. Staking TEA allows users to actively participate in the growth and development of the tea ecosystem, while also potentially earning rewards for their contributions.

With this incentivized system, we believe that open-source maintainers and contributors will be able to focus on adding value to the open-source software ecosystem while also being held accountable.

Bug Bounty Program

About the Bug Bounty Program

This bug bounty program applies solely to the Systems in scope listed below. All bugs associated with projects registered with the tea Protocol by the tea Association must be reported using the mechanisms provided by the tea Protocol. The tea Association may, at its sole discretion, extend the rewards of this bug bounty program to such vulnerabilities.

Additionally, this bug bounty program is focused on preventing the following impacts:

  • Loss of TEA or stTEA tokens (herein referred to as “Assets”) by direct theft or permanent freezing outside of normal tea Protocol operations, including but not limited to slashing due to an ignored or accepted vulnerability report;

  • Loss or temporary freezing of TEA tokens, or transfer outside of the agreed-upon protocol parameters from the undistributed teaRank rewards and staking rewards pools (herein referred to as “Pooled Assets”);

  • Inability to interact with a tea Protocol smart contract;

  • Protocol shutdown.

All activities related to this bug bounty program must comply with the tea Association’s Vulnerability Disclosure Policy. As a reminder all testing MUST be done on private testnets. NO TESTING can be performed with mainnet or public testnet contracts.

Reporting Issues

To qualify, bugs must be reported in compliance with the tea Association’s Vulnerability Disclosure Policy.

Systems in scope

All systems and web properties of the tea Association, including:

All production code in the repositories of the following organization: https://github.com/teaxyz. For details, please refer to Assets in Scope.

Out of scope

The following systems and properties are excluded from this Bug Bounty Program

  • Assets or other equipment not owned by parties participating in this policy, including but not limited to attacks or problems on the Layer 1 and Layer 2 relied upon by the tea Protocol to deliver its functions;

  • Sybil attacks;

  • Attacks

    • that the reporter has already exploited themselves, leading to damage;

    • requiring access to leaked keys/credentials;

    • requiring access to privileged addresses (including, but not limited to governance);

  • Incorrect data supplied by third parties;

  • Issues already listed in the audits for the systems in scope;

  • All code in the repositories of the following organization: https://github.com/teaxyz that is not active in production and was not audited;

  • Vulnerabilities identified in projects registered with the tea Protocol by the tea Association. Such vulnerabilities must be reported using the mechanisms provided by the tea Protocol.

Please note that vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Threat Levels

The Bug Bounty program includes the following 4 threat levels. Rewards will be given based on the severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of the tea Association.

LevelDefinition

Critical

Issues that could impact a large number of users and have serious reputational, legal or financial implications. An example would be being able to permanently freeze Assets or take Assets from all Users or Pooled Assets which cannot be solved by an upgrade.

Examples:

  • Loss of TEA or stTEA tokens (herein referred to as “Assets”) by direct theft or permanent freezing outside of normal tea Protocol operations;

  • Protocol shutdown.

High

Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.

Examples:

  • Temporary freezing of TEA tokens;

  • Inability to interact with a tea Protocol smart contract.

Medium

The risk is relatively small and does not pose a threat to User Assets or Pooled Assets

Examples:

  • Denial of service attacks targeting distinct users;

  • Griefing, e.g. no profit motive for an attacker, but damage to the users or the protocol.

Low

The issue does not pose an immediate risk but is relevant to security best practices.

Example:

  • Contract fails to deliver promised returns, but doesn't lose value.

Rewards by Threat Level

All bug reports must come with a PoC in order to be considered for a reward.

Critical bug reports are capped at 10% of economic damage, primarily considering the funds at risk, and taking into account branding and PR issues, at the discretion of the team. However, rewards for Critical bug reports have a minimum reward of USD 50,000.

Payouts are handled by the tea Association team directly and are denominated in USD. However, payouts are done in USDC.

LevelPayoutProof of Concept

Critical

Up to USD $100,000

Required

High

Up to USD $20,000

Required

Medium

Up to USD $5,000

Required

Low

Up to USD $1,000

Required

Submission Requirements

To be considered for a reward, all reports must contain the following information:

  • Suspected vulnerability category (XSS, SQL injection, etc.);

  • Suspected vulnerability title;

  • Detailed description of the suspected vulnerability;

  • Severity rating (which may be updated by the tea Association at the tea Association’s sole discretion);

  • [Optional] Impact and risk assessment;

  • [Optional] Affected environment;

  • Detailed steps to reproduce the issue;

  • POC demonstrating the vulnerability, per table above;

  • [Optional] A patch and/or suggestions to resolve the vulnerability;

  • Your name and/or others if you wish to be later recognized.

⚠️ ⚠️ REMINDER ⚠️ ⚠️

All activities related to this bug bounty program must comply with the tea Association’s Vulnerability Disclosure Policy. As a reminder all testing MUST be done on private testnets. NO TESTING can be performed with mainnet or public testnet contracts.

Assets in Scope

PreviousVulnerability Disclosure PolicyNextLearn about the teaDAO

Last updated