I’m more concerned about what we should do with ERCs upon vulnerability disclosures. Right now I’m talking about application-level standards.
There can be only two viable options if we want to prevent financial damage to Ethereum users:
- Mark a standard as “insecure” without modifying the specification/reference implementation. Recommend using other standards in production.
- Fix the discovered vulnerability in the original ERC.
If we decide to outsource vulnerability disclosures somewhere and declare “we don’t have to deal with vulnerabilities ourselves, let vulnerable ERCs stay unchanged” then it will inevitably result in financial damage to the end users due to KNOWN vulnerabilities. This is not a goal to pursue in my opinion.