[SCP-104] Outsource the DAO's Responsible Disclosure Program to HackenProof

Summary

In the absence of a Security Workstream the DAO’s Responsible Disclosure Program (RDP) created in SCP-46 needs a sustainable path forward to ensure we incentivize security researchers to disclose vulnerabilities that may adversely affect the DAO, token holders, or our community. HackenProof provides an affordable, easy to administer, crypto native platform that can fulfill our current needs for a monthly fee of $1,200 USD + 10% of bounty payouts. If passed this proposal would establish a budget of 75,000 USD/yr for the ongoing administration of the program in addition to bounty payments.

Motivation

Shapeshift has a long history of taking security seriously. @MrNerdHair established the DAO’s RDP in [SCP-46] that is currently without a clear owner or budget after the expiration of the security workstream. In order to continue this program it requires an owner responsible for its administration within the DAO, a budget, and resourcing to ensure its success.

Specification

If passed this proposal would enact the following:

  1. Extend the mandate of the Operations Workstream to become the owner of the Responsible Disclosure Program
  2. Establish a budget of 75,000 USD/yr that includes 15,000 USD/yr for on-boarding the DAO to HackenProof and a reserve of up to 60,000 USD/yr for potential RDP payouts. In the event that a disclosure warranted payout beyond this budget, a proposal would be needed to extend the budget beyond this amount.

HackenProof

HackenProof provides a simple interface that can be accessed by any number of DAO members. Additionally, they accept crypto for payment of their fees and payouts to researchers. They are willing to on-board the DAO directly, without an intermediary (IE the foundation). The agreement with them is month-to-month and in the event a new security work-stream is formed, they will have the ability to modify the proposed program.

Below are some screenshots of their interface:

The Operations Workstream as owner of this program would be responsible for:

  1. Setting up and continual maintenance of the RDP in HackenProof
  2. Primary point of contact post triage for new disclosures from HackenProof
  3. Coordinate with DAO workstream’s to mitigate open disclosures
  4. Discretion to determine pay out amounts based on inputs from HackenProof
  5. Ensure sufficient funds are allocated to HackenProof’s wallets for ongoing maintenance and bounty payouts.
  6. Updating and maintaining all external facing documentation regarding the RDP
  7. Assist the Support workstream to funnel all disclosures to HackenProof for intake.
  8. Reporting program updates back to the DAO community.

Benefits

  • Clear owner of the DAO’s Responsible Disclosure Program
  • Outsourced administration for triage process to top tier firm used widely in the industry.
  • Continues Shapeshift culture regarding the importance of Security.

Drawbacks

  • 75,000 USD/yr in expenses (~15k to HackenProof, ~60k reserves for potential bounty payout)

Snapshot Poll

https://snapshot.org/#/shapeshiftdao.eth/proposal/0x86897457a45b818d8cccdb67b009ccf2525a3c87b1385734f79a9aaa3fa651db

2 Likes

Thanks for researching and writing this. I’m in favor of it.

What happens in the event the bounty budget (60,000 USD/year) isn’t used up? Are funds going back to the DAO?

2 Likes

Yes, we can either reclaim unused funds or continue the program with the same funds for the next year.

4 Likes

Snapshot final snapshot voting is now live!