For Maintainers · Upstream Intelligence

Your dependencies have secrets.

The libraries you ship contain silently patched vulnerabilities that were never publicly disclosed. Your users inherit the exposure. You inherit the liability.

Dependency Risk
Coverage Gap>50% Hidden Patches
Ecosystems9+ Monitored
Disclosure Rate0.44% Observed
OutputAPI + Reports
PricingPublished Below
MetricBasis Points of TVL

You are shipping code that contains vulnerabilities you were never told about.

Your protocol depends on upstream libraries maintained by other teams. When those teams find and fix security vulnerabilities, the fix does not always come with a disclosure. According to Chainguard’s 2024 analysis, more than 50% of open-source security fixes are never disclosed publicly. The vulnerability gets fixed. The record of it never reaches you.

This means you are running code with known security defects that the upstream maintainer fixed but never told you about. Your dependency manager shows you are up to date. Your audit shows a clean bill of health. Neither tool checks for fixes that were deliberately hidden from the public record.

The problem compounds with forks. If you forked a codebase eighteen months ago, every silent patch merged upstream since then is a vulnerability in your deployment that you do not know exists. Your users are exposed. Your TVL is at risk. And you have no way to measure the gap using any public data source.

$2.2BCrypto Losses, 2024Total value lost to exploits and hacks across the crypto ecosystem in a single calendar year. Many traced to upstream dependency failures.
70%Audited Contracts ExploitedOf 2024 crypto exploits targeted contracts that had passed a third-party audit. Audits do not catch upstream silent patches.
0.44%Observed Disclosure RateAcross 4,121 security patches analyzed in 9 ecosystems. For every fix disclosed, roughly 227 are not.
48.4%Market CAGR 2025–2029DeFi insurance market is scaling from $3.5B to $16.94B. As TVL grows, so does the cost of undisclosed upstream exposure.

One upstream bug. Four forks. Thirteen months. $31.6 million gone.

██████████‘s exchange rate manipulation bug was exploited across four different forks over a thirteen-month window. Total losses: $31.6 million. The vulnerability was known after the first exploit. Three more forks — ████████, ██████, and ████████████ — running the same upstream code were hit afterward because the fix was never publicly disclosed and no downstream notification was issued.

If you are running a fork, this is your risk profile. The upstream maintainer patches silently. You never pull the fix because you never knew it existed. Months later, a researcher or attacker finds the same vulnerability in your deployment. Your users lose funds. Your protocol loses credibility. And the upstream fix was sitting in a commit history the entire time.

This is not a hypothetical. This is the documented cost of shipping code without upstream visibility.

Case: Lending Protocol Fork Exposure
Protocol██████████
VulnerabilityExchange rate manipulation in upstream lending codebase
Affected Forks████████ · ██████ · ████████████
Exploit Window13 months across 4 separate forks
Total Losses$31.6 million across downstream deployments
Root CauseNo public disclosure, no downstream fork notification
Preventable3 of 4 incidents with upstream patch intelligence

This is not an isolated pattern. Our pipeline has detected the same concealment behavior across every category of infrastructure we monitor.

Pattern: Authentication Platform — Bypass
Platform██████████████
VulnerabilityAuthentication bypass affecting session validation — 13 related findings in a single audit cycle
DownstreamApplications relying on platform for user authentication running vulnerable versions with no notification
DisclosureFindings reported. Vendor patched silently across multiple releases.
Pattern: Consensus Engine — Fork Detection Bypass
Engine████████
VulnerabilityLight client verification bypass — CVSS 9.3 — enabling undetected chain forks
Downstream12+ chains running forked versions of the engine, none notified of the upstream fix
DisclosureFix shipped without disclosure. Downstream chains independently notified by third-party researcher.
52 additional patterns
detected across
9 ecosystems

Our pipeline continuously monitors upstream repositories for silent security patches. The cases above are representative. The full database is larger. Check if your project is in it.

Check your project
1
Dependency Scan
TypeOne-Time
DeliveryReport
Price1 bps of TVL
You forked a codebase eight months ago. You pulled updates twice. You have no idea how many security fixes you missed because they were never labeled as security fixes.

The Dependency Scan is a one-time analysis of every upstream library in your protocol’s dependency chain. We identify every security fix that was merged without public disclosure and map the exposure back to your deployment.

The output is a complete inventory of what you are actually running versus what the public record says you are running. A protocol that appears fully patched against public databases may be carrying dozens of unpatched vulnerabilities that upstream maintainers fixed silently and never told anyone about.

For forked codebases, the scan includes every silent patch merged to the upstream repository since your fork date. That delta is the gap between what you shipped and what the original maintainers know.

What You Receive

Full upstream dependency map. Silent patch exposure report with severity breakdown. Per-finding vulnerability class and affected code path. Downstream fork impact analysis. Remediation priority list. Delivered as a structured report with raw data appendix.

2
Upstream Watch
TypeContinuous
DeliveryAPI + Dashboard
Price3 bps of TVL
An upstream maintainer merges a critical security fix at 2 AM on a Saturday. No public disclosure. Your protocol is exposed until you happen to notice — if you ever do.

Upstream Watch is continuous monitoring of every dependency in your stack. When our pipeline detects a silent security patch in any library you depend on, you receive an alert within 48 hours of detection. Not 48 hours after disclosure — there is no disclosure. 48 hours after the fix is merged.

Each alert includes the affected dependency, the commit containing the fix, the vulnerability class, severity rating, and whether the fix is present in your current deployment. Your engineering team can integrate alerts directly into CI/CD via our API, or review them through a web dashboard.

The service also tracks concealment patterns over time. An upstream project that has silently patched 14 critical vulnerabilities in the past year without a single CVE is a different dependency risk than one that discloses consistently. That pattern data informs which dependencies deserve the most scrutiny and which upstream relationships carry hidden risk.

What You Receive

Everything in Dependency Scan, plus: continuous silent patch detection feed. 48-hour detection-to-alert SLA. API integration for CI/CD pipelines. Dashboard with filtering and export. Concealment pattern histories per upstream project. Dependency risk scoring.

3
Full Advisory
TypeContinuous + Advisory
DeliveryAPI + Briefings
Price5 bps of TVL
Your board asks whether your protocol’s upstream dependencies are secure. Your honest answer should be: you do not know, because the data to answer that question does not exist in any public database.

Full Advisory is the complete service. It includes everything in Upstream Watch, plus dedicated analyst support, remediation guidance for each finding, quarterly security reviews of your full dependency chain, and investor-ready risk reporting.

When a silent patch is detected in your dependency chain, you do not just get an alert — you get a recommended remediation path, an assessment of whether the vulnerability is exploitable in your specific deployment context, and guidance on disclosure timing if you choose to notify your users.

Quarterly reviews provide a structured assessment of how your upstream risk profile has changed. New dependencies, abandoned projects, maintainers with deteriorating disclosure practices — all of it tracked and reported in a format your board and your investors can understand.

What You Receive

Everything in Upstream Watch, plus: dedicated analyst for your protocol. Remediation guidance per finding. Quarterly dependency chain security reviews. Investor-ready risk reports. Insurance-readiness assessment for DeFi coverage applications. Custom SLAs and reporting cadence.

One exploit costs more than a decade of monitoring.

At 3 basis points on $200M TVL, Upstream Watch costs $60,000 per year. A single exploit on one fork of ██████████ cost an average of $7.9 million per incident. The monitoring cost is 0.76% of the average exploit loss. One prevented exploit pays for the service for over 130 years.

The calculation is not theoretical. Four forks of the same codebase lost a combined $31.6 million to the same bug over 13 months. Three of those exploits were preventable with upstream visibility. If any of those three forks had been running Upstream Watch, they would have known about the vulnerability within 48 hours of the upstream fix — months before the exploit.

This is not a technology purchase. It is a data correction for a blind spot that is structurally guaranteed to exist in your current dependency management.

The maintainers you depend on are financially rewarded for not telling you about vulnerabilities.

Public disclosure costs money. It triggers downstream audit requirements, insurance repricing, risk assessor unstaking, and user concern. Silence costs nothing. The upstream maintainer fixes the bug quietly and moves on. Your protocol continues running vulnerable code. The maintainer’s reputation stays clean.

Our lab has documented this pattern across nine ecosystems with a combined 0.44% disclosure rate. That means for every vulnerability an upstream project tells you about, there are approximately 227 they do not.

Audits do not close this gap. 70% of 2024 exploits hit audited contracts. An audit reviews the code at a point in time. A silent patch happens after the audit, in upstream code the auditor never reviewed and your team never saw. The audit remains valid on paper while the code it reviewed is no longer what you are running.

The only way to close this gap is independent monitoring of upstream commit behavior. That is what we build.

Pricing · Published · Per Audience

Get out your calculator.

Every rate is published. Type your number. The math is instant.

Your TVL
$
Monthly + annual shown below
One-Time

Dependency Scan

1basis point
0.01%
of TVL · one-time
Your Cost
  • Full upstream dependency map
  • Silent patch exposure report
  • Severity breakdown per finding
  • Downstream fork impact analysis
Continuous

Upstream Watch

3basis points
0.03%
of TVL · recurring
Monthly
Annual (locked)
  • Everything in Dependency Scan
  • Continuous silent patch feed
  • 48-hour detection SLA
  • API integration for CI/CD
  • Concealment pattern histories
Full Service

Full Advisory

5basis points
0.05%
of TVL · recurring
Monthly
Annual (locked)
  • Everything in Upstream Watch
  • Dedicated analyst
  • Remediation guidance
  • Quarterly security reviews
  • Investor-ready reporting
Monthly — recalculates each billing cycle based on current TVL. Your cost tracks your growth in real time.
Annual — TVL locked at signing. If you grow $100M mid-contract, your rate stays the same until renewal.
Minimum engagement: $25,000
Regulatory bodies and law enforcement receive complimentary access to this dataset.
Annual Billings
$
Monthly + annual shown below
Dataset

Silent Patch Access

50basis points
0.50%
of annual billings · recurring
Monthly
Annual (locked)
  • Full silent patch database
  • Search by project, ecosystem, CWE
  • Supplement audit findings
  • Historical concealment data
Per-Engagement

Audit Overlay

75basis points
0.75%
of engagement value · per engagement
Per Engagement
  • Targeted scan for audit target
  • Upstream dependency exposure
  • Client-ready findings appendix
  • Silent patch delta report
Full Integration

Integrated Feed

100basis points
1.00%
of annual billings · recurring
Monthly
Annual (locked)
  • Everything in Dataset Access
  • API for workflow integration
  • White-label capability
  • Dedicated analyst
  • Priority SLA
Monthly — recalculates each billing cycle based on current billings.
Annual — billings locked at signing. Growth during the contract doesn’t change your rate until renewal.
Minimum engagement: $30,000
Regulatory bodies and law enforcement receive complimentary access to this dataset.
Last Round Raised
$
Monthly + annual shown below
One-Time

Pre-Launch Scan

2basis points
0.02%
of last round · one-time
Your Cost
  • Dependency exposure report
  • Silent patches in your stack
  • Risk profile before launch
  • Board-ready summary
Continuous

Continuous Monitor

4basis points
0.04%
of last round · recurring
Monthly
Annual (locked)
  • Everything in Pre-Launch Scan
  • Ongoing silent patch alerts
  • 48-hour detection SLA
  • API access
  • Concealment pattern data
Full Service

Full Advisory

6basis points
0.06%
of last round · recurring
Monthly
Annual (locked)
  • Everything in Continuous Monitor
  • Quarterly security reviews
  • Investor-ready risk reports
  • Dedicated analyst
  • Insurance-readiness assessment
Monthly — recalculates if your round size or treasury changes.
Annual — round size locked at signing. Raise a bigger round mid-contract? Same rate until renewal.
Minimum engagement: $15,000
Regulatory bodies and law enforcement receive complimentary access to this dataset.
Crypto AUM
$
Monthly + annual shown below
One-Time

Portfolio Screen

2basis points
0.02%
of crypto AUM · one-time
Your Cost
  • Exposure scan across holdings
  • Per-protocol risk breakdown
  • Silent patch count per position
  • LP-ready summary
Continuous

Due Diligence Feed

4basis points
0.04%
of crypto AUM · recurring
Monthly
Annual (locked)
  • Everything in Portfolio Screen
  • Continuous monitoring of holdings
  • Pre-investment protocol scans
  • Real-time exposure alerts
  • API access
Full Service

Full Intelligence

6basis points
0.06%
of crypto AUM · recurring
Monthly
Annual (locked)
  • Everything in Due Diligence Feed
  • Quarterly portfolio briefings
  • IC-ready risk reports
  • Dedicated analyst
  • Custom coverage by thesis
Monthly — recalculates based on current AUM each billing cycle.
Annual — AUM locked at signing. Portfolio growth mid-contract doesn’t change your rate until renewal.
Minimum engagement: $25,000
Regulatory bodies and law enforcement receive complimentary access to this dataset.
Coverage Volume
$
Monthly + annual shown below
Data Feed

Risk Intelligence Feed

8basis points
0.08%
of coverage volume · recurring
Monthly
Annual (locked)
  • Continuous silent patch detections
  • Protocol-level exposure mapping
  • Severity ratings per finding
  • Concealment pattern histories
  • API access for model integration
  • 48-hour detection SLA
One-Time

Portfolio Assessment

3basis points
0.03%
of coverage volume · one-time
Your Cost
  • Full portfolio exposure analysis
  • Per-protocol risk report
  • Public posture vs. actual patch status
  • Upstream dependency mapping
  • Premium repricing recommendations
  • Structured data appendix
Full Service

Underwriting Intelligence

12basis points
0.12%
of coverage volume · recurring
Monthly
Annual (locked)
  • Everything in Risk Intelligence Feed
  • Pre-binding coverage assessments
  • Real-time exposure change alerts
  • Quarterly underwriting briefings
  • Custom SLAs and reporting
  • Dedicated analyst
Monthly — recalculates based on current coverage book each billing cycle.
Annual — coverage volume locked at signing. Book growth mid-contract doesn’t change your rate until renewal.
Minimum engagement: $50,000
Regulatory bodies and law enforcement receive complimentary access to this dataset.

Public interest. No charge.

Supervisory bodies receive complimentary access to the full silent patch dataset.
Securities regulators, financial supervisory authorities, and government cybersecurity agencies can access the complete risk intelligence feed at no cost. The data exists to make markets transparent. Charging the entities responsible for transparency would defeat the purpose.
Request Access

Investigative support. No charge.

Law enforcement agencies receive complimentary access for active investigations.
Silent patches are evidence. When a maintainer fixes a critical vulnerability without disclosure and downstream protocols lose funds, the patch history documents the timeline of knowledge. We provide that evidence to law enforcement at no cost.
  • Concealment timelines with commit-level precision
  • Evidence of knowledge prior to exploit events
  • Downstream exposure mapping for affected parties
  • Expert consultation on technical findings
  • Chain-of-custody-ready documentation
Fraud, negligence, breach notification failures, securities violations — when concealment causes losses, the patch record is the evidence. We make sure investigators have it.
Request Access
Scope

What you get. What we don’t do.

What You Get

  • Silent patch detections across your full dependency chain
  • Severity-rated findings with evidence
  • Disclosure behavior scoring per upstream project
  • Fork drift reports showing where you’ve fallen behind
  • Coverage across 9+ ecosystems and growing
  • 48-hour detection-to-delivery SLA

What We Don’t Do

  • Perform penetration testing or active exploitation
  • Provide legal advice or regulatory representation
  • Guarantee specific coverage or pricing outcomes
  • Disclose raw vulnerability details to non-subscribers
  • Operate as a bug bounty platform or triage service
  • Accept vendor payment to suppress findings
Disclosure gap: Chainguard, “The Hidden Cost of Silent Patches” (2024). Finding: >50% of open-source security fixes lack public disclosure. Crypto losses: Chainalysis, 2024 Crypto Hacking Report. $2.2B in total crypto losses for 2024. Audited contract exploits: Olympix, “The State of Web3 Security in 2025”. 70% of major exploits targeted previously audited contracts. DeFi insurance market: Research and Markets, Decentralized Insurance Market Report. $3.5B (2025) to $16.94B (2029), 48.4% CAGR. Lending protocol exploit chain: Public incident reports via rekt.news. 4 exploits, 13 months, $31.6M aggregate losses across forked codebases. Internal data: Whitenbaker Labs silent patch detection pipeline. 4,121 patches analyzed, 0.44% disclosure rate across 9 ecosystems.
Get Started

Ship code with complete data.

Start with a Dependency Scan to see what your upstream libraries are hiding. Or go straight to continuous monitoring. Either way, you get data that does not exist in any public database.

Email Us View Our Research

Initial consultation free · All prices published · No sales theater