Replies: 2 comments 1 reply
-
|
This is Interesting, I trust @PatrickAlphaC will respond as soon as available. |
Beta Was this translation helpful? Give feedback.
-
|
Great question! So since the code in security reviews is not live, there doesn't need to be rules of engagement. Typically when code IS live, there are rules of engagement. This is more common for bug bounty platforms and not audits, since audits are usually on un-deployed code. Bug bounty platforms like immuefi do have "rules of engagement", and most of them say "if you actually hack anything your submission is voided" |
Beta Was this translation helpful? Give feedback.
-
|
Interesting. |
Beta Was this translation helpful? Give feedback.
-
Hi,
Just wondering if smart contract auditor firms employ a "Rules Of Engagement" contract with the client - e.g. Web2 Pentesters establish an engagement contract before starting the Pentesting. The "Phase 1" that @PatrickAlphaC outlines is very much similar to Web2 RoE however the RoE is a more formally defined legal contract.
We have a section dedicated to "What if the protocol I audit gets hacked" so maybe we should start thinking about this? The contract itself can be a binding NFT with an established auditing scope and all outcomes and expectations outlined. As this space matures (and https://www.vouch.us/web3 is starting their insurance for web3) and security becomes the norm, there may be a need for such contracts
Apologies if this is already being done, I am not a professional :) so not aware of current best practices
Any guidance is really appreciated!
Beta Was this translation helpful? Give feedback.
All reactions