ERC-5437: Security Contact Interface

An interface for security notice using asymmetric encryption


Metadata
Status: StagnantStandards Track: ERCCreated: 2022-08-09
Authors
Zainan Zhou (@xinbenlv)
Requires

Abstract


An interface for security notice using asymmetric encryption. The interface exposes a asymmetric encryption key and a destination of delivery.

Motivation


Currently there is no consistent way to specify an official channel for security researchers to report security issues to smart contract maintainers.

Specification


The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.


  1. Compliant interfaces MUST implement the getSecurityContact method.

type is a one byte data with valid range of [0x10, 0x7f]. The ranges of [0x00, 0x0f] and [0x80, 0xff] are reserved for future extension.

The type indicates the format of the publicKey and extraData in the following way


TypeEncryption schemeextraData
0x10GnuPG - RSA/3072Email address(es) encoded in format of RFC 2822

A new version of this table can be proposed by future EIPs by specifying a new type number.

  1. The publicKey returned from getSecurityContact MUST follow the encryption scheme specified in the table above.

The following is an example of a publicKey using RSA/3072 generated via GnuPG in an RFC 20 ASCII-encoding of the public key string:


  1. IF setSecurityContact is implemented and a call to it has succeeded in setting a new security contact, an event SecurityContactChanged MUST be emitted with the identical passed-in-parameters of setSecurityContact

  2. It's also RECOMMENDED that an on-chain security notify method securityNotify to implemented to receive security notice onchain. If it's implemented and a call has succeeded, it MUST emit an OnSecurityNotification with identical pass-in-parameter data.

  3. Compliant interfaces MUST implement EIP-165.

  1. It's recommended to set a bounty policy via bountyPolicy method. The id = 0 is preserved for a full overview, while other digits are used for different individual bounty policies. The returned string will be URI to content of bounty policies. No particular format of bounty policy is specified.

Rationale


  1. For simplicity, this EIP specifies a simple GPG scheme with a given encryption scheme and uses email addresses as a contact method. It's possible that future EIPs will specify new encryption schemes or delivery methods.
  2. This EIP adds an optional method, setSecurityContact, to set the security contact, because it might change due to circumstances such as the expiration of the cryptographic keys.
  3. This EIP explicitly marks securityNotify as payable, in order to allow implementers to set a staking amount to report a security vulnerability.
  4. This EIP allows for future expansion by adding the bountyPolicy the extraData fields. Additional values of these fields may be added in future EIPs.

Backwards Compatibility


Currently, existing solutions such as OpenZeppelin use plaintext in source code


It's recommend that new versions of smart contracts adopt this EIP in addition to the legacy @custom:security-contact approach.

Security Considerations


Implementors should properly follow security practices required by the encryption scheme to ensure the security of the chosen communication channel. Some best practices are as follows:

  1. Keep security contact information up-to-date;
  2. Rotate encryption keys in the period recommended by best practice;
  3. Regularly monitor the channel to receive notices in a timely manner.

Copyright


Copyright and related rights waived via CC0.