We are proud to announce the open source Smart Contract Security Registry. Effective security not only requires continuous effort, but also timely access to critical information. When findings occur, impacted parties need swift, effective, and private communication. The Smart Contract Security Registry offers just this, ensuring users of the open source OpenZeppelin Contracts and other participating smart contract libraries, receive swift communications about any known incidents or threats.
The Registry solves a challenge consistent across the community related both to identifying smart contract attributes and to finding emergency contacts when security events occur. With good governance and security practices, vulnerabilities are less likely to get exploited. Adding your project’s information to the Registry allows our team to alert smart contract users of known vulnerabilities ahead of our public disclosure. We are inviting the community to populate this new Smart Contract Security Registry by adding project information to this form.
How and When Communication Occurs is Critical
Even without the privacy considerations, the distributed nature of many projects presents challenges related to communication with the appropriate contacts. While we have recourse to public forums and social media, not all security matters can be disclosed publicly without unintentionally causing harm. Therefore, we created an open source Registry designed to facilitate incident and security communications.
This year, two critical vulnerabilities were discovered and responsibly disclosed in OpenZeppelin Contracts, an open source smart contract library we develop and maintain for the good of the open economy. Identifying contact information for impacted projects required extensive work (we are grateful to Dedaub, Tenderly, and Dune Analytics for their help here). As our team resolved the vulnerabilities, we reached out to any identified projects privately via email, Telegram, Discord, and Twitter. This experience revealed the need for security communication standards in the open economy.
When it comes to security, how and when communication occurs is critical. We created the Registry as an open source project to solve a need for access to security contact information across a wide range of blockchain projects. Going forward, we will recommend and follow a standard for communication about security matters in the open economy.
What is the Smart Contract Security Registry?
The Smart Contract Security Registry is a repository of JSON files describing a project and their deployed smart contracts including emergency contact information. It allows projects to retain public anonymity while providing public information for users and community supporters about their deployed contracts. The Registry was created within the open source Ethereum Lists project of curated lists which is already used by many teams within the ecosystem. We would especially like to thank Dune Analytics for helping us populate information for over 250,000 contracts into the registry.
The information in the registry includes critical contact addresses such as email addresses or telegram handles, allowing emergency response teams including OpenZeppelin to swiftly reach out, should the need arise, regarding security matters. The goal of the Registry, from OpenZeppelin’s standpoint, is to create a public registry of contract attributes and acquire the emergency contact addresses for every project. Projects on the Registry will receive security notices from OpenZeppelin, and we encourage other emergency response teams to also leverage this resource.
OpenZeppelin will never contact anyone on this list for any reason other than security. At the end of this blog you will find OpenZeppelin’s particular protocol for secure communication. If you are contacted through the registry, always confirm that outreach is coming from a verified source.
How the Smart Contract Security Registry Works
Any project can join the registry by adding the following information: an arbitrary project identifier, project name, Github organization, security contact email, deployed network, and the addresses of deployed smart contracts using OpenZeppelin’s libraries. To create an entry for your project, fill out this form.
A pull request with a JSON file will be created in the Registry’s repository. In order to ensure valid information, the submitter must be a team member of the associated GitHub organization or the information provided must be otherwise publicly verifiable. OpenZeppelin will review and merge all validated pull requests. As the registry grows, we will add other responsible maintainers.
We are also recommending teams to add a custom:security-contact natspec tag to their contracts, with the email address for their security contact, and uploading their contract metadata to Sourcify. We plan to scan for verified contracts and pull the security contact information to add it automatically to the registry. Users can also leverage Contracts Wizard, our smart contract creation tool, to automatically include this tag.
Expectations and communication standards
If a vulnerability is found within one of our libraries, we commit to first indexing the Registry for deployed smart contracts and reaching out to the impacted parties within the Registry. If your project is not registered in the database, we will still do our best to reach out but will do so in a second wave — depending on our ability to identify appropriate contacts.
In the future, we want to expand the allowed parameters in the Registry so projects can include specific feature information about the deployed smart contracts. This will enable white hats to narrow down the affected smart contracts so disclosure of the vulnerability remains in a tighter circle allowing projects more time to implement a fix before public disclosure. We will add fields to allow the inputting of parameters such as access control, ownable, pausable, upgradable, and the version of libraries (such as OpenZeppelin Contracts) deployed. We encourage other teams to further extend information in the Registry that could help during responsible disclosures.
We encourage every project using OpenZeppelin Contracts to input their information into the Smart Contract Security Registry.
Please note that we will ONLY send email alerts to contacts on the Registry using security AT openzeppelin DOT com. Any other email regarding a vulnerability from OpenZeppelin should be regarded as a phishing attempt. All emails regarding a vulnerability will also contain “OPENZEPPELIN SECURITY ALERT” in the subject line. We encourage other libraries directing projects toward this registry to employ a similar communication protocol and share it with their community.