[SCP-61] Proposal to fund the Security Workstream through May 31, 2022

Proposal Discussion
1

Summary

Reconfirm as Security Workstream Leader, pay him $16,250/month for the first six months of 2022, and allocate $50,000 to the Security Workstream.

Abstract

has served as the Security Workstream leader since 9/2021, and was paid by ShapeShift US until the end of 2021. He has done a good job so far, and the DAO should continue this mutually beneficial relationship.

As the responsibilities of the Security Workstream expand, it will need funding to create bounties and compensate additional contributors; $50,000 is allocated for these purposes.

Motivation

The DAO’s relationship with has been productive. Having an in-house, full-time, security-focused resource for software architecture, contract review, and engineering assistance is quite valuable and compensation of $16,250/month is commensurate with the compensation of other workstream leaders.

As the products of the DAO increase in complexity and become adopted by a wider user base, the Security Workstream’s role will also grow. As its responsibilities expand beyond what can be comfortably handled by a single person, so will the need to incentivize contributions from outside contributors – both from other workstreams and from outside the DAO completely. Since the role of Security is primarily to support the efforts of other workstreams, it’s tricky to anticipate funding requirements in advance; therefore, a fixed-funding model is proposed, with each future funding request to include an accounting of previous expenditures and the value they have delivered to the DAO.

Specification

The ShapeShift DAO engages VulTech, LLC (

  1. ’s consulting company) to lead its Security Workstream and provide associated services for the six-month period between 1/1/2022 and 5/31/2022. VulTech, LLC will be compensated $97,500 in total, payable at a rate of $16,250 per month via the DAO’s usual contributor payment scheduling and distribution mechanisms.
  2. The DAO’s Security Workstream will be allocated $50,000 as operating capital.
  3. The Workstream Leader will coordinate with TMDC to draw these funds into Colony as needed.
  4. These funds may be used to create bounties, compensate workstream contributors, and fulfill any of the Security Workstream’s obligations not explicitly funded via other mechanisms.
  5. These funds may be used for on-chain testing or to reimburse gas fees.

    6. While reimbursements for specific expenses incurred on behalf of the DAO are allowed, VulTech, LLC and its employees (i.e.,

    • ) may not receive bounties or additional compensation out of these funds.
    • By the end of the term, the Security Workstream will achieve the following goals:
    • Continue to administer the Responsible Disclosure Program
    • Be available to discuss Security best practices and provide architectural support for all DAO initiatives
    • Provide security review for DAO products and partner integrations
    • Implement a system for tracking security work and providing visibility into velocity and resource allocation
    • Track Security Initiatives (stuff that Security does on its own to accomplish its own objectives)
    • Track Workstream Support efforts (stuff that helps other workstreams accomplish their objectives) and enable other workstreams to reserve security resources for their needs
    • Stretch goal: use “story points” to develop KPIs around overall velocity

    Benefits

    • continues to provide a best-in-class security resource for the DAO
    • Security begins growing its contributor base to support the DAO’s increasing throughput
    • Security remains flexible and focused on supporting the needs of other workstreams as they are discovered

    Drawbacks

    • Flexibility to respond to other workstreams’ needs as they are discovered requires an essentially pre-paid workstream funding model, which in turn requires trust that funds will be spent wisely
    • Without historical velocity data, non-qualitative KPIs can’t meaningfully be set this term

    Vote

2

(So writing about myself in third person is very, very strange, especially when I’m tooting my own horn. shudder)

This is the continuation of a previous

  • proposal, incorporating community feedback. Here’s a distillation of what several people helped me realize:

    I spent way too much effort and gotten way too detailed in specifying funding mechanisms

  • There isn’t really any need to shoehorn workstream funding into the “per-month” paradigm if salaries aren’t a controlling component
  • The ability to ask for more, smaller funding allocations is one of a DAO’s explicit strengths, and I should take advantage of it as much as possible

I’ve tried to make things much more straightforward in this iteration. I still intend to make heavy use of Coordinape, but hopefully this is a lot more short-n-sweet. My thanks to everyone for their kind assistance and feedback as I grow into this role!

3

I certainly support

  1. as the Security Workstream Leader. I would like to see some high-level goals in this proposal. Not just for me, but I think it would be helpful to anyone who comes to look at our DAO and the quality of our process - I think every workstream should have some kind of stated goals for each budget period. Even if they are not specific. Goals I could see for the Security workstream might be:

    Provide security reviews of code that Engineering Workstream and outside contributors when requested.

  2. Run the Responsible Disclosure Program
  3. Provide Smart Contract Audits for the Tokenomics Workstream and Initiatives
  4. Be available to discuss Security best practices for all DAO initiatives

Something like that is what I would like to see. Curious if others feel this same way, or if they are good without any goals being explicitly listed.

4

Agreed with on this - in support and this workstream being funded, however all workstreams should have explicit goals and regularly review those goals with the community.

In addition those goals should preferably be falsifiable (easy to tell if met or not ) where possible and have specific and measurable kpis. I would like to see the addition of such goals as josh suggests before this proposal moves to snapshot.

5

This is a good idea, and I agree in principle. I’ve been turning it over in my head for the last few days trying to figure out how to effectively choose a concrete set of goals, and as usual ’s suggestions have helped significantly.

Since the beginning of this proposal, talking with him has helped me realize something very important: one very important way of looking at the job of Security is as supporting the efforts of other workstreams (as opposed to a perhaps more obvious but signficantly less useful formulation like “secure all the things”). Thinking more about this today, I think that one of the keys to coming up with a satisfying set of goals (and, hopefully, KPIs – though that’s more tricky for an area like security which is focused on nonfunctional requirements; I’m not sure “0 massive hacks” is a useful KPI) is to talk to other workstream leaders and find out how Security has been useful to them over the last term, as well as what they’d like to see us doing over the next.

Of course not every answer to those questions will translate directly to a goal or KPI, but that data should help significantly. I’ll make collecting it a focus over the next week and report back here.

6

Thanks for everyone’s feedback during this process! This is now on Snapshot