Moving away from the model relying on auditors' activity

[Kouprin]

Insights.

Having a couple of conversations with auditors (Sigma Prime and Trail of Bits), I found that previous approach about inviting auditors was incorrect. There are several major reasons why:

1. Auditors work for limited amount of hours under the project instead of completing the audit. This basically means, some projects may be under permanent audition, while others would negotiate for very limited time because of their budget. The final quality of audits will be different even with the same auditor.
2. Auditors understand their work as preparing notes for developers to help them to find and resolve security issues. So, from their perspective their work has no application for measuring quality or safety level of the contract. Their work is focused on the developer, not external users who may want to measure the contract quality.
3. Auditors work under "taking zero responsibility" model. They confirm nothing about contract quality, standards used, etc. Instead, they say something like "in X hours of our audit, we found no divergence between the standard and the contract code". Even it may sounds like approving, there is actually no approval. Auditors avoid approving in any way.
4. Good auditors have tons of work for, at least, next several months. They have no financial, reputation or business motivation to participate in services like NEAR Contracts Registry. Neither of auditors discussed with had submitted anything at https://etherscan.io/contractsVerified.
5. Services like https://www.smartcontractaudits.com/ works badly. There are no clients (almost zero conversion + very low level of understanding audits procedures) from there and tons of auditors registered they have never heard about. The market of auditors is basically divided between several major players with good reputation (like a tribe) + many unknown services which are very hard to trust.
6. Growing a good security engineer takes several years, so the entry threshold is very high at the field for newcomers.

Solution.

First of all, entity of auditor must be removed completely from the contract. The responsibility of publishing audit should be moved to the developers who are interested to prove the quality of the contract.

1. To have an opportunity to measure the contract quality, we should distinguish good contracts from bad ones - and previously this task was taken by auditors. Unfortunately, there is no way to automatize the procedure completely, as malicious user may learn the rules of measuring quality and follow them: submit a copy-pasted contract, fake the audit, add unused standards, etc. To resolve this, we need some trusted people - it might be a council of NEAR experts chosen manually as short-term decision, and may switch to community-based procedures in long-term.
2. The interface suggested at Audit Registry | Bounty: $14,000 in NEAR near/bounties#13 must be changed according to knowledge we received. Instead of registering auditor and sign audits, we will allow users to submit audits and replace registering auditors with registering council members.
3. Due to (5) and (6) above, it's hard to bring new good and trustful auditors. However it's possible to enable community in taking part in making contracts better by building a system of bounties for bug hunting. At glance, it should work the following way:
   a) Developer deposits some amount of money into the project.
   b) There are some rules about bounty distribution, like "confirming major issue -> send 10% of deposit to the hacker".
   c) Hacker opens an issue against the latest deployed version of contract, secretly transferring the details.
   d) Developer can accept the issue and it triggers transfer procedure, or reject.
   e) In case of developer's rejection, hacker may open the details of the issue to ask council to be the judges of the decision.
   f) Council decision will be accepted unconditionally.
   To decrease council participation frequency, there should be fines introduced.

Milestones.

1. Short-term. Getting rid of auditors, implement basic council logic, allow developers to upload audit details, etc.
2. Middle-term. Implement bug hunting bounties.
3. Long-term. Reputation and community-based desicions.

[Kouprin]

Thanks to Sasha, there is bug bounty platform similar to discussed above: https://immunefi.com/