Reporting OSS Vulnerabilities
Coming Soon to Testnet

Find and report vulnerabilities to secure the software supply chain

Security researchers can enhance the security of OSS software by submitting vulnerability reports to project maintainers. Users who report valid vulnerabilities may be rewarded with TEA.
Earn rewards
for valid
vulnerability reports
Security researchers are encouraged to participate in the tea Protocol by reporting software vulnerabilities associated with the tea Protocol or registered software projects.
Project maintains codebase

OSS contributors receive and evaluate vulnerability reports

Project contributors continually maintain open-source software code, including by evaluating incoming vulnerability reports.
Vulnerability is addressed

The happy path, project maintainers take action

OSS project maintainers address the vulnerability report by either accepting or rejecting it. Vulnerability researchers who submit accepted reports are rewarded with TEA.  Maintainers are expected to promptly address the vulnerabilities identified by valid reports, or explain why rejected reports are invalid.
Codebase
vulnerability
reported
Reporter stakes
TEA tokens
Vulnerability
is evaluated
Security researchers evaluate codebase

Users hunt for software vulnerabilities and submit reports

Anyone may report a software vulnerability. Staking TEA tokens to a vulnerability report is an anti-spam measure that’s required to submit the report.
Vulnerability is ignored

Left on the shelf, vulnerability report is not addressed

The unhappy path occurs when OSS project maintainers ignore the vulnerability report by not accepting or rejecting it. Not responding to a submitted vulnerability report in a timely manner causes the OSS project and its stakers to be penalized using a token-slashing mechanism. Not resolving a validated vulnerability also results in penalization via slashing for an OSS project and its stakers.
Project maintains codebase

OSS contributors receive and evaluate vulnerability reports

Project contributors continually maintain open-source software code, including by evaluating incoming vulnerability reports.
Security researchers evaluate codebase

Users hunt for software vulnerabilities and submit reports

Anyone may report a software vulnerability. Staking TEA tokens to a vulnerability report is an anti-spam measure that’s required to submit the report.
Codebase vulnerability reported
Reporter stakes TEA tokens
Vulnerability is evaluated
Vulnerability is addressed

The happy path, project maintainers take action

OSS project maintainers address the vulnerability report by either accepting or rejecting it. Vulnerability researchers who submit accepted reports are rewarded with TEA.  Maintainers are expected to promptly address the vulnerabilities identified by valid reports, or explain why rejected reports are invalid.
Vulnerability is ignored

Left on the shelf, vulnerability report is not addressed

The unhappy path occurs when OSS project maintainers ignore the vulnerability report by not accepting or rejecting it. Not responding to a submitted vulnerability report in a timely manner causes the OSS project and its stakers to be penalized using a token-slashing mechanism. Not resolving a validated vulnerability also results in penalization via slashing for an OSS project and its stakers.