[SCP-9] Shall a Security Workstream be created and Reid Rankin assigned as its initial leader?

Shall a Security Workstream be created and Reid Rankin assigned as its initial leader?


Why should people use this workstream? What is it for?

The Security Workstream will be primarily be responsible for providing security review of sensitive code, advising on appropriate standards for the protection of sensitive information, and coordinating penetration tests, audits, and incident response.

The Security Workstream will also be available to host security-related proposals generally, and to act as a delegation point for special projects or bounty funds that may be approved for security-specific efforts.


What is the mission of this workstream?

To provide a robust and responsible resource for addressing critical issues, be a source for security information for all Foxes, and ensure the trustability of the ShapeShift ecosystem and its code.


How exactly is this different than the other categories we already have?

While this workstream will have some of its own engineering resources to draw upon, no other workstream currently focuses specifically on security issues. A DAO is by its very nature is exposed to a lot of technical risk, many of which can trigger more rapidly than a DAO’s native governance cycle can handle. Incident response requires a group of knowledgeable security engineers that the community trusts to act as a contact point and coordinate sensitive tasks effectively, and having a formal Security workstream already set up ahead of time helps accomplish that goal.


What are the goals of this workstream?

  • Provide architecture and code review from an attacker mindset
  • Audit smart contract code, both internal and that of potential partners
  • Advise on appropriate standards for the protection of sensitive information
  • Verify sensitive processes to assure no hanky-panky is involved (i.e. airdrop eligibility lists)
  • Sponsor active penetration tests
  • Coordinate vulnerability disclosures and incident response
  • Help protect Foxes against cyberattacks and scams
  • Champion secure coding practices and a high standard of code quality
  • Issue appropriate security advisories
  • Evaluate and advise the community on the security impact of all newly posted proposals

In addition, as ShapeShift US winds down, its Responsible Disclosure Program (RDP) will be going with it. The Security Workstream will have the responsibility to design a proposal for the DAO’s own bug bounty program to take its place.

ShapeShift US also currently provides an on-call rotation for timely handling of incident reporting and response, and the Security Workstream will continue this service after the centralized entity winds it down.

What metrics can this workstream’s success be measured against?

  • Number of successful attacks against the ShapeShift ecosystem
  • Number and type of threats mitigated
  • Number of security reviews completed
  • Time-to-resolution of reported security issues

Dependencies on other Workstreams

The Security Workstream will work closely with the Engineering Workstream, both in development of net-new code and in coordination of vulnerability fixes for existing code, and will coordinate with the Customer Support Workstream to handle both security issues reported as support requests and support requests reported as security issues.

Additionally, the Security Workstream will have the responsibility to evaluate ongoing threats; in the event of an emergency, it will have the responsibility to coordinate appropriate emergency measures with other workstreams (especially Engineering and Operations).

Will your workstream hold recurring meetings?

This workstream will hold regular public “office hours” to answer questions and solicit community input. Exact dates and times will be arranged via a public calendar poll and announced on the forum and Discord.

Workstream Funding

No funding is requested at this stage; going forward, individual proposals will be brought at a later stage to fund specific initiatives, including any personnel requirements, and containing performance standards as applicable.

(For context, ShapeShift US’s Security department operates on a budget in the 5-figure-per-month range. The Security Workstream will likely have somewhat less in the way of systems expenses and somewhat more in the way of people expenses, but hopefully this is useful at least as a ballpark figure so that voters know what they’re getting into.)

Workstream Leadership

I’m Reid Rankin (@MrNerdHair), a Software Security Engineer in the current ShapeShift US Security department. In light of the positive feedback received so far on the forum, I’d like to volunteer to be the initial workstream leader.

It’s important that this workstream have a group of knowledgeable security engineers that the community trusts to coordinate sensitive tasks effectively, and a degree of continuity with the existing centralized infrastructure should help enable that trust. And while I can’t speak directly for my Security colleagues, I do believe that several of them will be joining us on this exciting but uncertain decentralized voyage, and I expect that they may also find their natural place in this workstream.

I’ll be leaving ShapeShift US’s employment at the end of the year. While I’m still on their payroll, I don’t intend to ask to be compensated for this role; afterwards, however, I do anticipate it being a paid position. (For the avoidance of doubt, I do also hope to make paid contributions to other workstreams as opportunities presents themselves.)

This means that funding for the workstream leader position will need to be allocated in January 2022, which will also conveniently serve as a kind of “term limit” in that the associated proposal will provide a specific opportunity for the DAO to consider my performance and potential alternative leadership options.


Yes: A Security Workstream will be created, and Reid Rankin (@MrNerdHair, 0xA69c0339Ef7E34406C5bAd7F2DbD672a68b9338a) will be assigned as its initial leader. No: A Security Workstream will not be created at this time.