We are excited to announce that we are partnering with Immunefi to launch an official bug bounty program for OpenZeppelin Contracts! While we have rewarded white hat hackers in the past who reported vulnerabilities on the library, we had never formalized a bounty program - until now.
We first engaged with the Immunefi team when they notified us of a critical vulnerability in the TimelockController contract. We had a great experience collaborating with them throughout the response, so we decided to keep working together and set up an official bounties program on the Immunefi platform.
Rewards go up to $25,000 USD for critical vulnerabilities, but keep in mind that OpenZeppelin Contracts are widely used in the ecosystem. So if you find an issue in the library, there's a good chance that it will apply for multiple bounties from other projects!
In addition, since the v4.4 release candidate, we've established an Open Review period for all release candidates. If you find a vulnerability in a release candidate, you'll get a highly coveted Bug Hunter POAP in addition to the Immunefi bounty!
Last but not least, if you're an OpenZeppelin Contracts user and want to pitch in to increase the bounties pool, let us know. We see Contracts as a public good for the Ethereum community that we maintain, so we welcome any contributions towards its security!