In the absence of a Security Workstream the DAO’s Responsible Disclosure Program (RDP) created in SCP-46 needs a sustainable path forward to ensure we incentivize security researchers to disclose vulnerabilities that may adversely affect the DAO, token holders, or our community. HackenProof provides an affordable, easy to administer, crypto native platform that can fulfill our current needs for a monthly fee of $1,200 USD + 10% of bounty payouts. If passed this proposal would establish a budget of 75,000 USD/yr for the ongoing administration of the program in addition to bounty payments.
Shapeshift has a long history of taking security seriously. @MrNerdHair established the DAO’s RDP in [SCP-46] that is currently without a clear owner or budget after the expiration of the security workstream. In order to continue this program it requires an owner responsible for its administration within the DAO, a budget, and resourcing to ensure its success.
If passed this proposal would enact the following:
Elect anon to be the Responsible Disclosure Program Owner. anon would receive XX/yr as compensation for these efforts.
Establish a budget of 75,000 USD/yr that includes 15,000 USD/yr for on-boarding the DAO to HackenProof and a reserve of up to 60,000 USD/yr for potential RDP payouts.
HackenProof provides a simple interface that can be accessed by any number of DAO members. Additionally, they accept crypto for payment of their fees and payouts to researchers. They are willing to on-board the DAO directly, without and intermediary (IE the foundation). Below are some screenshots of their interface:
Thanks for putting this up, and keeping this discussion going. Compensation for the RDP Owner. After the initial setup, it doesnt ‘seem’ like its intensive to maintain, so maybe a balloon, and then a monthy stipend. $1k too much/little? Just to get the number conversation open.
Yes, I agree there is probably more up front work than on-going maintenance. That being said, I do think there is some variability that would need to be accounted for. For instance, if a “critical” vulnerability was discovered, I would expect that the RDP owner would be intimately involved with coordinating the response through to conclusion and it may take considerable time for that to occur.
Granted. but really what would that entail? 'rdpOwner" would pass the info to ‘engineering’ (or similar as appropriate)
and maybe discuss amount for the reporter, and then goes back to reporter and makes payment. (or would there be a delay of payment to ensure silence on the reporters part? or partial up front,good faith, and then a final at the end?)
What would a similarly experienced person to come into the dao to manage this program cost per year? If MNH was on the higher end of experience could it be safe to say, it’d be about the same as what his salary was? Or would it be less due to them just managing this program?
What is the time frame for needing to get them an answer? are their prices locked in for a bit? is it worth searching for an individual to handle this internally in the dao?
If someone was to come in to the DAO just as a program manager, without really any additional expertise in security I think you are looking at compensation between 100-200k / yr depending on experience. They wouldn’t be able to validate disclosures without more technical and security expertise and the RDP alone isn’t a full time role.
No timeframe. I think the bigger impetus for the DAO to move forward is there is a significant drain of time currently since each disclosure is being handled without an owner or a clear budget. There are ad-hoc discussions taking place about validating disclosures, how to respond, where pay outs will come from, etc. This all wastes time of our work streams that right now don’t have a process in place and aren’t really staffed to.
I do not know what the right compensation for the Owner of this would be, but I do think hackenproof is very reasonable at 1200 USD/month.