[Pushers N06] Add security contact

[luiz-lvj]

Providing a specific security contact (such as an email address or ENS name) within a smart contract significantly simplifies the process for individuals to communicate if they identify a vulnerability in the code. This practice is quite beneficial as it permits the code owners to dictate the communication channel for vulnerability disclosure, eliminating the risk of miscommunication or failure to report due to a lack of knowledge on how to do so. In addition, if the contract incorporates third-party libraries and a bug surfaces in those, it becomes easier for their maintainers to contact the appropriate person about the problem and provide mitigation instructions.

Throughout the codebase, multiple instances of contracts not having a security contact were identified.

This PR adds a NatSpec comment containing a security contact above each contract definition. It also adds a SECURITY.md file

Summary by CodeRabbit

• Documentation
  • Added a project Security Policy with vulnerability disclosure contact (security@openzeppelin.com).
  • Embedded security-contact metadata across contract documentation so the disclosure channel is consistently visible.
• Chores
  • Updated a public event to include an additional indexed block number parameter (adds lastBlockNumber to the event signature).

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new SECURITY.md pointing reports to security@openzeppelin.com, inserts @custom:security-contact security@openzeppelin.com NatSpec annotations across multiple contracts/interfaces, and updates the IBuffer event BlockHashesPushed to include a second indexed lastBlockNumber parameter.

Changes

Cohort / File(s)	Summary
Security policy SECURITY.md	New security policy file directing vulnerability reports to security@openzeppelin.com.
Core interface & base src/contracts/block-hash-pusher/interfaces/IBuffer.sol, src/contracts/block-hash-pusher/interfaces/IPusher.sol, src/contracts/block-hash-pusher/BaseBuffer.sol	Added @custom:security-contact security@openzeppelin.com NatSpec tags. IBuffer event BlockHashesPushed signature changed to (uint256 indexed firstBlockNumber, uint256 indexed lastBlockNumber) (ABI-impacting).
Chain-specific pushers & buffers src/contracts/block-hash-pusher/linea/.../LineaBuffer.sol, src/contracts/block-hash-pusher/linea/.../LineaPusher.sol, src/contracts/block-hash-pusher/scroll/.../ScrollBuffer.sol, src/contracts/block-hash-pusher/scroll/.../ScrollPusher.sol, src/contracts/block-hash-pusher/zksync/.../ZkSyncBuffer.sol, src/contracts/block-hash-pusher/zksync/.../ZkSyncPusher.sol	Added @custom:security-contact security@openzeppelin.com NatSpec tags to implementations; ZkSyncPusher.sol also adds a source reference comment for IMailbox. No other logic changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add Scroll pusher and buffer  #57 — Related: changes to IBuffer.BlockHashesPushed event (added lastBlockNumber) affect implementations that emit/consume this event.
• Add Linea pusher and buffer #59 — Related: adds Linea buffer/pusher implementations that must align with updated IBuffer event signature and security-contact annotations.

Suggested reviewers

• pepebndc

Poem

"I hopped through code with nimble feet,
Leaving contacts tidy, clear, and neat.
From buffer burrows to pusher glen,
I marked the way for help to send.
A rabbit's wink — secure again!" 🐇✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[Pushers N06] Add security contact' accurately and concisely summarizes the main change: adding security contact information via NatSpec annotations and a SECURITY.md file across multiple contract files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/pushers-L04

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@SECURITY.md`:
- Around line 1-3: Update SECURITY.md to use the same vulnerability contact as
the contracts by replacing the email string "security@openzeppelin.com" with
"security@openzeppelin.org", and fix the broken Markdown link by either
converting "[Immunefi]" to an inline link like "Immunefi (https://immunefi.com)"
or adding a reference definition for [Immunefi] with the correct URL (e.g.,
https://immunefi.com) so the link renders and the contact addresses are
consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Email domain mismatch and broken Markdown link.

1. The email here is security@openzeppelin.com (.com), but every Solidity contract in this PR uses security@openzeppelin.org (.org). These should be consistent to avoid misdirected vulnerability reports.

2. [Immunefi] is a reference-style Markdown link with no corresponding URL definition, so it will render as plain text rather than a clickable link.

Proposed fix

 # Security Policy
 
-Security vulnerabilities should be disclosed to the project maintainers through [Immunefi], or alternatively by email to security@openzeppelin.com.
+Security vulnerabilities should be disclosed to the project maintainers through [Immunefi](https://immunefi.com), or alternatively by email to security@openzeppelin.org.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Security Policy
	Security vulnerabilities should be disclosed to the project maintainers through [Immunefi], or alternatively by email to security@openzeppelin.com.
	# Security Policy
	Security vulnerabilities should be disclosed to the project maintainers through [Immunefi](https://immunefi.com), or alternatively by email to security@openzeppelin.org.

🤖 Prompt for AI Agents

In `@SECURITY.md` around lines 1 - 3, Update SECURITY.md to use the same
vulnerability contact as the contracts by replacing the email string
"security@openzeppelin.com" with "security@openzeppelin.org", and fix the broken
Markdown link by either converting "[Immunefi]" to an inline link like "Immunefi
(https://immunefi.com)" or adding a reference definition for [Immunefi] with the
correct URL (e.g., https://immunefi.com) so the link renders and the contact
addresses are consistent.

[pepebndc]

this codebase is not in inmunefi, so please remove it and just keep the email

[pepebndc]

isn't the email @openzeppelin.COM ?

[coderabbitai]

🧹 Nitpick comments (1)

src/contracts/block-hash-pusher/zksync/ZkSyncPusher.sol (1)

9-9: Consider using a structured NatSpec tag for the source reference.

The /// Source: line is an untagged /// comment. If no tags are used, the Solidity compiler will interpret a /// comment the same way as if it were tagged with @notice, which means this line is semantically conflated with the interface-level notice rather than being categorized as a cross-reference. Using /// @dev Source: or /// @Custom:source would give the attribution a distinct NatSpec category in the compiled devdoc output.

♻️ Suggested improvement

-/// Source: https://github.com/matter-labs/era-contracts/blob/33fbd0d832d15da150dcc7ec8032660980caa692/l1-contracts/contracts/state-transition/chain-interfaces/IMailboxImpl.sol#L88
+/// `@dev` Source: https://github.com/matter-labs/era-contracts/blob/33fbd0d832d15da150dcc7ec8032660980caa692/l1-contracts/contracts/state-transition/chain-interfaces/IMailboxImpl.sol#L88

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/contracts/block-hash-pusher/zksync/ZkSyncPusher.sol` at line 9, Replace
the untagged triple-slash comment that points to the upstream source with a
NatSpec-tagged comment so it is categorized properly in devdoc; in
ZkSyncPusher.sol (the top-of-file comment referencing the Matter Labs
IMailboxImpl URL) change the line from a plain "/// Source: ..." to a tagged
form such as "/// `@dev` Source: ..." or "/// `@custom`:source: ..." so the
reference is kept but is not treated as `@notice` in the compiled docs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/contracts/block-hash-pusher/zksync/ZkSyncPusher.sol`:
- Line 9: Replace the untagged triple-slash comment that points to the upstream
source with a NatSpec-tagged comment so it is categorized properly in devdoc; in
ZkSyncPusher.sol (the top-of-file comment referencing the Matter Labs
IMailboxImpl URL) change the line from a plain "/// Source: ..." to a tagged
form such as "/// `@dev` Source: ..." or "/// `@custom`:source: ..." so the
reference is kept but is not treated as `@notice` in the compiled docs.