USDC bug bounties · Ethereum · Safe custody

Fund the repos you rely on.

OSSTrust ranks GitHub repositories by committed USDC, lets maintainers claim their program, and keeps idle treasury funds behind a guarded Safe policy instead of an unlocked wallet.

Ethereum mainnetUSDC donationsGitHub claimsSafe multisigCompound III yield

Explore leaderboard →Review custody model

Treasury flow

Donations stay simple. Payout authority does not.

Donate in USDC

Fund any GitHub repo on Ethereum — it rises on the leaderboard immediately, claimed or not.

Claim via GitHub

Repo owners authenticate and lock payout control away from the marketplace.

Guard the treasury

A Safe plus delay policy buffers emergency exits while Compound III keeps idle USDC productive.

Leaderboard TVL

$768.1K

Seeded example data until live indexing lands.

Programs

GitHub repositories ready for donations.

Claimed

Repos with maintainer-controlled bounty payouts.

Yield-enabled

Programs with Compound III yield routing enabled.

Custody model

Three rules that keep the money safe.

Every design decision comes back to one question: who can move funds, under what conditions, and how does the audit trail look?

Discovery first

Any donor can fund an existing repo and push it onto the board.

Every GitHub repository becomes a program with a public treasury balance, claim state, payout policy, and donation history. That keeps the landing page useful before the repo owner ever logs in.

Claim rights

Maintainers get the social authority. The vault still needs technical guardrails.

Claiming should map to GitHub repository ownership, not just a wallet signature. Once claimed, maintainers can shut out third-party payout processing while the treasury still sits behind a Safe policy.

Capital efficiency

The treasury can earn, but the payout path has to stay legible.

Idle USDC can be routed into Compound III, but only with a sweep policy, explicit accounting, and a hot buffer for near-term payouts. Yield is a bonus, not the trust anchor.

Leaderboard

Find repos worth funding.

Filter by language, type, and payout control before you commit a dollar. Data is seeded mock content matching the production shape.

8 programs$768.1K funded5 claimedUSDC on Ethereum

#	Repository	Type	Funding	Yield	Control	Status
01	vercel/next.js App Router, React infrastructure, and the framework surface a large security and reliability blast radius. frontendframeworkcritical dependency	Framework TypeScript	$184,500 422 donors · 17 open	Compound III supply 4.1% APR	Dual control Delay modifier plus guardian Safe	Claimed
02	curl/curl One of the most depended-on transport stacks on the internet, but still a project donors can fund before maintainers opt in. networkinginfrastructureoss staple	Infrastructure C	$118,900 255 donors · 11 open	Idle Safe buffer No yield configured	Marketplace OSSTrust-managed payout multisig	Unclaimed
03	tailwindlabs/tailwindcss Utility-first CSS is deeply embedded in production web apps, making a visible, high-trust bounty pool attractive to donors. cssfrontenddesign systems	Framework TypeScript	$102,400 301 donors · 8 open	Compound III supply 4.3% APR	Repo owner Repo owner Safe with challenge window	Claimed
04	eslint/eslint Critical linting infrastructure with a huge downstream footprint and a natural stream of bug and rule-bypass reports. toolingstatic analysisdeveloper workflow	Developer Tool JavaScript	$91,300 209 donors · 9 open	Compound III supply 4.0% APR	Dual control Delay modifier plus guardian Safe	Claimed
05	bitcoin/bitcoin The canonical Bitcoin node implementation draws donors even without direct maintainer participation. protocolsecuritypayments	Security C++	$78,600 180 donors · 6 open	Idle Safe buffer No yield configured	Marketplace OSSTrust-managed payout multisig	Unclaimed
06	pnpm/pnpm Package-manager infrastructure with direct impact on the JavaScript supply chain and developer build systems. package managerjavascriptsupply chain	Developer Tool TypeScript	$73,100 193 donors · 13 open	Compound III supply 3.9% APR	Repo owner Repo owner Safe with challenge window	Claimed
07	ethereum/go-ethereum Core Go Ethereum infrastructure with obvious demand for protocol-facing bounty workflows and higher-signal disclosures. ethereumexecution clientprotocol	Infrastructure Go	$66,800 147 donors · 5 open	Idle Safe buffer No yield configured	Marketplace OSSTrust-managed payout multisig	Unclaimed
08	jqlang/jq A small, sharp CLI utility with a huge installation base and a bounty pool that benefits from fast maintainer approval. clidata toolingunix	Developer Tool C	$52,500 124 donors · 4 open	Compound III supply 4.2% APR	Dual control Delay modifier plus guardian Safe	Claimed

Repository

Type

Funding

Yield

Control

Status

vercel/next.js

App Router, React infrastructure, and the framework surface a large security and reliability blast radius.

frontendframeworkcritical dependency

Framework

TypeScript

$184,500

422 donors · 17 open

Compound III supply

4.1% APR

Dual control

Delay modifier plus guardian Safe

Claimed

curl/curl

One of the most depended-on transport stacks on the internet, but still a project donors can fund before maintainers opt in.

networkinginfrastructureoss staple

Infrastructure

$118,900

255 donors · 11 open

Idle Safe buffer

No yield configured

Marketplace

OSSTrust-managed payout multisig

Unclaimed

tailwindlabs/tailwindcss

Utility-first CSS is deeply embedded in production web apps, making a visible, high-trust bounty pool attractive to donors.

cssfrontenddesign systems

Framework

TypeScript

$102,400

301 donors · 8 open

Compound III supply

4.3% APR

Repo owner

Repo owner Safe with challenge window

Claimed

eslint/eslint

Critical linting infrastructure with a huge downstream footprint and a natural stream of bug and rule-bypass reports.

toolingstatic analysisdeveloper workflow

Developer Tool

JavaScript

$91,300

209 donors · 9 open

Compound III supply

4.0% APR

Dual control

Delay modifier plus guardian Safe

Claimed

bitcoin/bitcoin

The canonical Bitcoin node implementation draws donors even without direct maintainer participation.

protocolsecuritypayments

Security

C++

$78,600

180 donors · 6 open

Idle Safe buffer

No yield configured

Marketplace

OSSTrust-managed payout multisig

Unclaimed

pnpm/pnpm

Package-manager infrastructure with direct impact on the JavaScript supply chain and developer build systems.

package managerjavascriptsupply chain

Developer Tool

TypeScript

$73,100

193 donors · 13 open

Compound III supply

3.9% APR

Repo owner

Repo owner Safe with challenge window

Claimed

ethereum/go-ethereum

Core Go Ethereum infrastructure with obvious demand for protocol-facing bounty workflows and higher-signal disclosures.

ethereumexecution clientprotocol

Infrastructure

$66,800

147 donors · 5 open

Idle Safe buffer

No yield configured

Marketplace

OSSTrust-managed payout multisig

Unclaimed

jqlang/jq

A small, sharp CLI utility with a huge installation base and a bounty pool that benefits from fast maintainer approval.

clidata toolingunix

Developer Tool

$52,500

124 donors · 4 open

Compound III supply

4.2% APR

Dual control

Delay modifier plus guardian Safe

Claimed

vercel/next.js

App Router, React infrastructure, and the framework surface a large security and reliability blast radius.

#1Claimed

Funding

$184,500

Open bounties

Control

Dual control

Yield

4.1% APR

frontendframeworkcritical dependency

curl/curl

One of the most depended-on transport stacks on the internet, but still a project donors can fund before maintainers opt in.

#2Unclaimed

Funding

$118,900

Open bounties

Control

Marketplace

Yield

None

networkinginfrastructureoss staple

tailwindlabs/tailwindcss

Utility-first CSS is deeply embedded in production web apps, making a visible, high-trust bounty pool attractive to donors.

#3Claimed

Funding

$102,400

Open bounties

Control

Repo owner

Yield

4.3% APR

cssfrontenddesign systems

eslint/eslint

Critical linting infrastructure with a huge downstream footprint and a natural stream of bug and rule-bypass reports.

#4Claimed

Funding

$91,300

Open bounties

Control

Dual control

Yield

4.0% APR

toolingstatic analysisdeveloper workflow

bitcoin/bitcoin

The canonical Bitcoin node implementation draws donors even without direct maintainer participation.

#5Unclaimed

Funding

$78,600

Open bounties

Control

Marketplace

Yield

None

protocolsecuritypayments

pnpm/pnpm

Package-manager infrastructure with direct impact on the JavaScript supply chain and developer build systems.

#6Claimed

Funding

$73,100

Open bounties

Control

Repo owner

Yield

3.9% APR

package managerjavascriptsupply chain

ethereum/go-ethereum

Core Go Ethereum infrastructure with obvious demand for protocol-facing bounty workflows and higher-signal disclosures.

#7Unclaimed

Funding

$66,800

Open bounties

Control

Marketplace

Yield

None

ethereumexecution clientprotocol

jqlang/jq

A small, sharp CLI utility with a huge installation base and a bounty pool that benefits from fast maintainer approval.

#8Claimed

Funding

$52,500

Open bounties

Control

Dual control

Yield

4.2% APR

clidata toolingunix

Roadmap

Shipping in three focused phases.

Each phase unlocks a self-contained slice of value. You can fund and discover repos today. Claims and onchain custody follow.

Phase 01

Public market surface

Ship the leaderboard, filters, claim-state UX, and typed API contracts first. That gives donors somewhere credible to land before onchain plumbing is live.

Phase 02

Repo ownership claims

Add GitHub OAuth, verify repository admins, and let claimed programs switch from marketplace-run payouts to maintainer-controlled workflows.

Phase 03

Treasury automation

Move donation receipts onchain with per-program Safe vaults, delay protection, and an opt-in Compound parking strategy that keeps accounting clean.