With the shutdown of the centralized entity’s Responsible Disclosure Program, the time has come for the DAO to consider replacing it. A Responsible Disclosure Program serves two critical functions: it incentivizes security researchers to test our products for vulnerabilities, and it establishes a process for handling reported vulnerabilities in a manner that enables us to protect our users.
As a DAO, all our code and systems are public, and we must assume that it’s only a matter of time before any vulnerability we receive a report about is discovered by the bad guys. Experience running the centralized RDP has also provided the valuable insight that hanging onto reports for too long presents serious record-keeping issues. Thus, I propose that the DAO’s RDP have an explicit 90-day disclosure policy, with all reports actively published after they are remediated, or after 90 days, whichever comes first.
To cut down on the proportion of invalid reports, I suggest that the DAO’s RDP cover only the following GitHub repositories:
In addition, any software hosted under the ShapeShift or KeepKey GitHub Orgs or the @shapeshiftoss NPM Org will be eligible if it is a dependency of one of these in-scope packages.
Awarding bounties is hard because there’s no concrete, quantitative way to calculate what a particular vulnerability report is worth. There are some useful rubrics, but at a fundamental level each actual award amount is essentially pulled out of thin air. This naturally makes verification that the bounty is “correct” quite difficult – and if we can’t independently verify the outcome, we must establish a trustworthy process.
I propose that a Bounty Committee be established for the purpose of reviewing and assigning bounty values to remediated reports. This committee should have good technical and security credentials, but should also represent a cross-section of the DAO community. Its purpose is twofold: to provide confidence to the DAO that bounty funds will be well-allocated, and to provide assurance to security researchers that their reports will receive serious consideration and a fair award.
The Bounty Committee’s recommendations will be submitted to the DAO for vote, and payment from the treasury. I envision a monthly meeting, which will produce an omnibus proposal to pay a set of recommended bounties, and I propose that in the specific, limited case of the Bounty Committee making proposals to pay bounties for RDP reports, the normal forum and ideation steps of the governance process be waived. This will allow the DAO to retain operation oversight of the amounts awarded, while avoiding the potentially-problematic process of allocating a “budget” for bounties.
Considering the impact and complexity of vulnerabilities is highly-skilled and mentally-demanding work, and the members of the the Bounty Committee will need to do it regularly. As such, they should be paid on an hourly basis for their work meeting and scoring reports. Budgeting for can be handled via the Security Workstream; I estimate a workload of 2-4 hours per month for each of 3-8 members.
At this stage, I’m primarily concerned with reaching consensus on the mechanism, not the people – but I do have a few candidates in mind. I’d like to be on it, and I definitely want to ask the rest of the former centralized security team if they’d consider participating; I’d also like to broaden the representation to include people from e.g. Tokenomics and Engineering – @willyfox and @def1cafe come to mind. In any case, though, these details are mutable.
Security researchers value recognition for their contributions. Acknowledgment from a vendor that you reported a vulnerability directly translates to more clients, more respect from other vendors, and higher overall earning potential. Traditionally, this recognition has been given through inclusion on a centralized “hall of fame” list – which puts the researcher’s valuable recognition at the continuing mercy of a vendor, who may at any time choose to discontinue it. Fortunately, we have the tools to solve exactly this sort of problem.
I propose that the DAO fund, through bounties, the creation of an NFT-based Hall of Fame on the xDai chain, and that recognition for a researcher’s contributions be provided in tokenized form.
- A security researcher who submits a valid report will receive an NFT, which will be locked for the duration of the RDP’s 90-day disclosure period. If the issue they’ve reported is later found to be invalid – or if they choose to disclose it publicly during the embargo period – the NFT will be revoked.
- The NFT will be unlocked automatically upon the expiration of the disclosure period, or earlier once the issue is remediated. Once unlocked, the NFT will pay to its holder a small, fixed bounty, as compensation for their effort in reporting the issue.
This “de minimis” bounty is strictly compensation for participating in the administrative overhead of the reporting process, as well as a good-will bonus, and will be the same for every issue irrespective of the issue’s impact or technical complexity. These factors will be considered by the Bounty Committee.
- The Bounty Committee will meet on a regular basis to evaluate all newly-remediated issues and assign bounties to them. Bounties will be paid out to the holder of the associated NFT. This will enable the researcher to “cash out” early, without needing to wait for the Bounty Committee, by selling their NFT.
- The NFT’s metadata will include name and URL fields which the researcher may set and then lock. This ensures that they will retain the credit for their report, even if they do sell the NFT.
The Security Workstream will manage the issuance and revocation of these NFTs, as well as handle the budgeting for the “de minimis” bounty funds. Valid reports have tended to come in at a fairly low rate, a few every week. ShapeShift US’s minimum bounty was $50, which is IMO quite low; we should consider increasing this number to $150 or $200 to incentivize attention by a higher tier of researchers.