Scope Bug Bounty Rules

Security
1

I was this morning thinking in more detail about the current excluding rules in OpenZeppelin's Bug Bounty Program. There are two items I would like to discuss in more detail and gather feedback on it. Currently, the following two items are excluded from the bug bounty program:

  • Incorrect data supplied by third party oracles (not to exclude oracle manipulation/flash loan attacks)
  • Basic economic governance attacks (e.g. 51% attack)

While I do understand why those are currently excluded, I still think we should incentivise the community to research these (economic) attack vectors since they can potentially have a material impact on the smart contract design pattern. For instance, oracle extractable value (OEV) can also become a critical pillar.

Most probably it could make sense to launch a separate - a more R&D-related - bug bounty program for more general economic attack vectors. This is not only relevant for OpenZeppelin but for the entire ecosystem, in particular, if we expand the scope beyond just Ethereum and cross-chain economic attacks become possible (i.e. cross-chain arbitrage).

Let me know what you think about it!

2

Definitely agree these are important (crucial) problems for the ecosystem. This research should be incentivized and funded... but we don't have the resources to do that so it's out of scope of the bug bounty for OpenZeppelin Contracts. Please note that as an open source project our funding is limited, in fact our bug bounty rewards are lower than others in the ecosystem.

1 Like
3

Please note that as an open source project our funding is limited, in fact our bug bounty rewards are lower than others in the ecosystem.

Yes, that's why I raise this point here and which concerns me the most. Am wondering what I/we as a community can do to increase your bug bounty capabilities? I mean think about having just 1% of the total TVL that is protected by OpenZeppelin code. Maybe you guys could run such an initiative somehow that each project with a significant TVL that is protected by OpenZeppelin code makes a donation to you guys as a small percentage of their TVL. This post should serve as an "idea-sharing" thread.