I’m sitting in a hotel room right now; my dad’s downstairs on the first floor, and we’re across the street from the hospital where he’s scheduled to go in for surgery this afternoon. Last time he went in for this, he almost died. The whole thing’s got me in a contemplative mood, and wanting to make sure I tie up loose ends. (I apologize in advance if I get a bit maudlin; this is sort of a stream-of-consciousness exercise.)
As many of you know, I decided not to present a proposal for renewal of the Security workstream’s budget upon its expiry as of the end of last month. (I’ve delivered that news verbally, but I wanted to make sure it got recorded in writing somewhere as well.) I’ll still be around, though I’ll probably show up more here on the forum than on the engineering side of things. I’ll still be happy to assist with security reviews or other DAO needs from time to time on an ad-hoc basis.
The surgery was a major factor, and certainly the deciding one, but I’d be lying if I didn’t admit that another major factor is that I don’t feel that I’m able to be useful to the DAO in a full-time role any more, and I regret that deeply.
This bear market has hit us hard. I hope that the budget reduction I’ve provided by cutting myself will help, but I’m afraid for the DAO right now. The recent round of engineering cuts came the day after I made the final decision to step back entirely from day-to-day involvement in the DAO, and they shocked me to my core. I’m afraid for the drastic shift in business model such cuts imply, as the engineering workstream no longer possesses the capability to maintain so many of the underlying components and libraries which power of our present application and the vision of the future ShapeShift Platform.
—
The community needs to make a decision about the DAO’s Responsible Disclosure Program going forward. We have had progressively fewer reports as time has gone on; I’d like to believe most of that is because we’ve gotten more secure, though honesty compels me to admit that a significant portion of the equation is that there are fewer researchers who poke at client-side SPA-style web apps than things with a back-end. As such, and especially in light of the recent narrowing of our scope of our organizational focus, I don’t think it makes sense any more not to outsource the program to a vendor like Immunefi or hats.finance, though that sort of arrangement wouldn’t give the DAO as much flexibility on impact scoring and bounty determination as an in-house approach. (, I’d especially appreciate your perspective here.)
Last month, In order to clear the slate and give the DAO the opportunity to consider changing the way it handles the RDP, I used Security Workstream discretionary funds to purchase the rights to any future bounty the DAO might decide to pay for the two remaining outstanding issues from the researchers who’d reported them. Since the DAO now owns those rights, the question of paying bounties for those issues is now hopefully moot point, and the DAO can decide whether to continue running the RDP as currently specified or whether to save the money that would otherwise be spent on that program (including the $15k originally budgeted for the development of its associated NFT Hall of Fame) and use it for another purpose. Out of the workstream discretionary funds, I paid Christian Reitter $15k for an (as usual) very detailed and professional report of a set of KeepKey bootloader vulnerabilities, and a researcher going by the handle “benchinoy” $2k for the disclosure of a HTML injection issue in unchained’s swagger docs. I believe these are reasonable awards; they’re roughly consistent with awards made historically for similar issues.
Before the end of last month, I also paid the Support workstream for another 12 user-months of ZenDesk access. My intention is to transition the responsibility for responding to mail directed at the security@shapeshift.io address over to support, operations, or engineering personnel; I think it would make sense to use support or operations if we outsource the RDP, and engineering if we don’t. That said, the bill was due at that point, the licenses are transferable to whoever needs them, and I’m happy to mind the store while the DAO figures out where it wants to go from here (or even ride shotgun for a while during the transition).
—
I’ve probably forgotten something important; sorry if so. I’m not at my computer right now, but my recollection is that the workstream has come in something like $80k under its allocated funds overall, and it’s been my privilege to work with all of you. I’ll be thinking of many of you fondly in the weeks and months to come, and don’t be surprised if I drop in with demos on occasion 1f642