The code review of a Ethereum smart-contract is not enough to ensure the security of the contract. A Bug bounty program is essential for a the good of the ICO processes.
For example, the Aragon Token Network team is a good example of a public Bug Bounty, see it.
Now there is a platform called Solidified that makes the review / audit more easy. See it.