Just to double check, you mean a bug bounty for finding bugs caused by OpenZeppelin contracts, not a bug-bounty smart contract itself?

I think that'd be a great idea. FWIW, OpenZeppelin itself is not a revenue-generating entity. It'd be neat if we could partner with projects like gitcoin, ethprize, status open bounties, and similar to have the community provide the funds to cover a bug bounty.

Perhaps this is a good application of an Aragon DAO?

I mean that if I find a bug inside code that is published at OpenZeppelin/zeppelin-solidity then I would like to request payment.

OpenZeppelin does generate revenue. The business model was not clear to me before. But now I understand that companies can approach OZ and pay money for audits.

It is not necessary to find funding from outside sources, OZ can provide the funding from its own operating budget.

Ah, you're thinking of Zeppelin, which provides audits and consulting; OpenZeppelin (OZ) is a separate, community-driven collection of smart contracts. Of course, many of the community members are employees of Zeppelin, but certainly not all of them.

Because OZ is a community project, having the community that relies on its features support the bug bounty makes a lot of sense. I expect that if a community fund sprung up to handle bug bounties for OpenZeppelin, Zeppelin itself would contribute.

So the audits that have been performed by OpenZeppelin and are listed here were done without fee?

https://github.com/OpenZeppelin/zeppelin-solidity#collaborating-organizations-and-audits-by-openzeppelin

866 has removed the confusion caused by that reference, thanks for pointing it out 😄

Thanks for clarifying this on the README.

The current OpenZeppelin website still links to "Security Audits" and "support and security audits" with Zeppelin. It still feels to me like these are related organizations -- the Zeppelin members are the ones that have commit access here and they profit from auditing the code that is here. It will be inappropriate for the community to contribute to the bug bounty if only Zeppelin has commit access and they could fix their own bugs.

ATTACK VECTOR:

1. Zeppelin maintains OZ as a high-quality code base
2. Zeppelin allows a few specific bugs to enter OZ
3. Zeppelin makes money on paid audits where they advise their clients to fix those bugs
4. Zeppelin makes money from the community by fixing its own bugs
5. The community is hurt because it pays for these bugs which OZ should not have committed in the first place

I know what Zeppelin audits cost and I know the value of quality assurance on the code that is here. Either way, that is a business decision that Zeppelin needs to make.

But personally, I cannot support any blockchain project connected to a commercial entity where that commercial entity does not contribute to a bug bounty. And more specifically, the value of that project as a whole is equal to the size of the bug bounty.

Hey @fulldecent.

Zeppelin and OpenZeppelin are deeply related. Zeppelin started OpenZeppelin. And Zeppelin contributes to the development of OpenZeppelin allowing some of us to use part of our work week to improve OpenZeppelin. But the point 2 of your attack vector fails because everything we do on this repo is transparent and we do it together with members of the community that are not paid by Zeppelin. We have a strict protocol of code reviews and a long period of testing before releasing a new version to prevent mistakes and malicious actions. If we deviate from that protocol, instead of making money it will hurt both Zeppelin and OpenZeppelin.

What Zeppelin audits for it's customers is not the OpenZeppelin code. This has also been always transparent, and you can see more details here: https://blog.zeppelin.solutions/tagged/security

The idea of giving incentives for developers to audit and develop smart contracts is at the core of ZeppelinOS (which is also different from OpenZeppelin). The exact details of how that will look are still work in progress, so your proposals will be very useful.
But as @shrugs said, once that is implemented and ready to go, at Zeppelin we will continue contributing to OpenZeppelin in many ways. We believe this project is fundamental for every blockchain project, including ours.

pura vida

Attack vector point 2 is alive and well.

OpenZeppelin advertised as having a ERC-721 implementation when it knew full well that its implementation was not compliant. You would know OpenZeppelin was working well if you saw this:

1. Somebody reports a problem: ERC-721 implementation is incorrect
2. OZ acknowledges that the problem is correct, pays them
3. OZ puts a notice in README.md: DON"T USE OUR ERC-721 IMPLEMENTATION, IT"S BROKEN
4. Proceed and fix it when you want

But instead, OZ is not financially responsible for bugs so #2 and #3 don't happen. Now the users of OZ are financially responsible for bugs which OZ knows exists.

Trust me, I have researched the implementations in the wild on mainnet, many people have deployed applications which rely on the broken OZ code and they will be sad to find out it won't be compatible with MetaMask.

Even now ERC-721 is still broken (after the ERC-165 fix). But I don't have time to report it.

"What Zeppelin audits for it's customers is not the OpenZeppelin code." This is false. Some of (all?) Zeppelin's audit reports are published at https://blog.zeppelin.solutions/tagged/security

Here is one example where the Zeppelin project performed a code audit and the target of the audit included OpenZeppelin code:

• Audit report: https://blog.zeppelin.solutions/erc20-element-token-audit-2128b50e37cd
• Audited code location: https://github.com/element-group/element-erc20-smart-contract/tree/6a7b48cec1aa8a823b7ec4a03adadc5ca9d22e29/contracts
• Audited code commit: 6a7b48cec1aa8a823b7ec4a03adadc5ca9d22e29
• Part of audited code which includes OpenZeppelin code: https://github.com/element-group/element-erc20-smart-contract/blob/6a7b48cec1aa8a823b7ec4a03adadc5ca9d22e29/contracts/ElementToken.sol#L4

It may not be obvious that import "zeppelin-solidity/... refers to the OpenZeppelin code. But if you follow along the build script https://github.com/element-group/element-erc20-smart-contract/blob/6a7b48cec1aa8a823b7ec4a03adadc5ca9d22e29/flatten.sh#L10-L11 and then read the NPM module documentation at https://www.npmjs.com/package/zeppelin-solidity then you can see that this actually OpenZeppelin code.

And also, Zeppelin does specifically recommend that customers use OpenZeppelin code. Here is one example: https://blog.zeppelin.solutions/coinfix-token-audit-c4a0e64190bf

The contract implements similar functionality to code found in OpenZeppelin’s SafeMath,Ownable (or Claimable) and Pausable. Reimplementing functionality instead of reusing public and already audited code can bring regression problems and difficult to find bugs. Consider removing the duplicate code from your repo and using the installed versions from OpenZeppelin.

This is in stark contract to 0xcert. They have an ERC-721 implementation and they have a bug bounty for it. This is the correct way to do open source.

It is correct that Zeppelin recommends the use of OpenZeppelin in its audit reports. The reason we do it is that we trust our code and believe it makes our clients' systems safer. This is the only link between OpenZeppelin and the auditing business ran by the company.

It should go without saying, for those who are familiar with our values and our work, that the "attack vector" described is far from even being a possibility.

As for the actual point of this issue, we are interested in setting up a bug bounty program, and bounties for contributions in general. We have started work on this, but we have limited manpower and it will not happen overnight. Please be patient.

@fulldecent Please stay on-topic and report any problems with our implementation of ERC-721 in other issues in this repository.

This is the only link between OpenZeppelin and the auditing business ran by the company.

This is incorrect. As denied and refuted above, OpenZeppelin is routinely used in the wild and then that same code is coming back in for review by Zeppelin.

The topic of this discussion is: personally, I cannot support any blockchain project connected to a commercial entity where that commercial entity does not contribute to a bug bounty. And more specifically, the value of that project as a whole is equal to the size of the bug bounty.

If I can solve the problem here it might be my largest contribution to the community.

@fulldecent I'm not sure I understand the logic here; we all benefit from bug bounties indirectly by being able to fully utilize the open source code in our own projects and business solutions, and we go on to profit or contribute to the benefit of others in other open source projects. We get those same benefits if there is a bounty or not, just like any other open source project. Correct me if I am wrong, but what am I fundamentally missing here?

@emmonspired Most of the time I read a valuation for anything related to blockchain, I see a 10-year projection where the company gets to a $1B value.

That means one typo in OZ, or any other software you are copy-pasting into your product could cost you $1B. For example, The DAO had a problem and they lost $60M. The community voted (?) to steal the money back and this resulted in a fork of Ethereum that cost the community $1.5B.

Never rely on free open source software that does not have a bug bounty.

OZ does not have a strong motivation to fix issues because they do not need to pay for problems. In fact they have a strong motivation to NOT fix issues because the same people that control OZ also control Zeppelin -- and those people are soliciting services to fix these types of problems.

BEST EXAMPLE: Go take the code on OZ today and create your smart contract. Then go pay Zeppelin to audit it. I am sure they will then tell you that your code is broken because you forgot to check that the right now (2018-06-28) the OZ ERC-721 code is not compliant with the final version standard.

If instead there was a bug bounty on OZ you would see a huge warning on the top level README.md that says: WARNING THERE IS A KNOWN PROBLEM WITH THE ERC-721 IMPLEMENTATION HERE AND YOU SHOULD NOT USE IT RIGHT NOW. THIS ISSUE IS ALREADY REPORTED AT XXX AND WE WILL NOT PAY ANY OTHER BOUNTIES FOR THAT ISSUE.