❓ [Support] - <Include @custom:security-contact for all important Push Contracts> #310
Description
Question or Support Request
Providing a specific security contact (such as an email or ENS name) in a smart contract significantly simplifies the process for individuals to communicate if they identify a vulnerability in the code. This practice is beneficial as it permits the code owners to dictate the communication channel for vulnerability disclosure, eliminating the risk of miscommunication or failure to report due to a lack of knowledge on how to do so.
In addition, if a contract incorporates third-party libraries and a bug surfaces in those, it becomes easier for the maintainers of those libraries to contact the appropriate person about the problem and provide mitigation instructions.
Using the @Custom:security-contact convention is recommended as it has been adopted by the OpenZeppelin Wizard and the ethereum-lists.