[SCP-TBD] Outsource the DAO's Responsible Disclosure Program to HackenProof

Summary

In the absence of a Security Workstream the DAO’s Responsible Disclosure Program (RDP) created in SCP-46 needs a sustainable path forward to ensure we incentivize security researchers to disclose vulnerabilities that may adversely affect the DAO, token holders, or our community. HackenProof provides an affordable, easy to administer, crypto native platform that can fulfill our current needs for a monthly fee of $1,200 USD + 10% of bounty payouts. If passed this proposal would establish a budget of 75,000 USD/yr for the ongoing administration of the program in addition to bounty payments.

Motivation

Shapeshift has a long history of taking security seriously. @MrNerdHair established the DAO’s RDP in [SCP-46] that is currently without a clear owner or budget after the expiration of the security workstream. In order to continue this program it requires an owner responsible for its administration within the DAO, a budget, and resourcing to ensure its success.

Specification

If passed this proposal would enact the following:

  1. Elect anon to be the Responsible Disclosure Program Owner. anon would receive XX/yr as compensation for these efforts.
  2. Establish a budget of 75,000 USD/yr that includes 15,000 USD/yr for on-boarding the DAO to HackenProof and a reserve of up to 60,000 USD/yr for potential RDP payouts.

HackenProof

HackenProof provides a simple interface that can be accessed by any number of DAO members. Additionally, they accept crypto for payment of their fees and payouts to researchers. They are willing to on-board the DAO directly, without and intermediary (IE the foundation). Below are some screenshots of their interface:

The RDP Owner responsibilities would include:

  1. Setting up and continual maintenance of the RDP in HackenProof
  2. Primary point of contact post triage for new disclosures from HackenProof
  3. Coordinate with DAO workstream’s to mitigate open disclosures
  4. Discretion to determine pay out amounts based on inputs from HackenProof
  5. Ensure sufficient funds are allocated to HackenProof’s wallets for ongoing maintenance and bounty payouts.
  6. Updating and maintaining all external facing documentation regarding the RDP
  7. Assist the Support workstream to funnel all disclosures to HackenProof for intake.
  8. Reporting program updates back to the DAO community.

Benefits

  • Clear owner of the DAO’s Responsible Disclosure Program
  • Outsourced administration for triage process to top tier firm used widely in the industry.
  • Continues Shapeshift culture regarding the importance of Security.

Drawbacks

  • 75,000 USD/yr in expenses (~15k to Hacken, ~60k reserves for potential bounty payout) + RDP Owner compensation

Open Questions To Community

  • Who would own this program?
  • Is ~60,000 USD/yr a good starting budget for bounties. If no issues are discovered this would not be paid out.
  • What is the correct amount of compensation for the Program Owner
4 Likes

Thanks for putting this up, and keeping this discussion going. Compensation for the RDP Owner. After the initial setup, it doesnt ‘seem’ like its intensive to maintain, so maybe a balloon, and then a monthy stipend. $1k too much/little? Just to get the number conversation open.

1 Like

A few more links that may help give people more info on HackenProof

Yes, I agree there is probably more up front work than on-going maintenance. That being said, I do think there is some variability that would need to be accounted for. For instance, if a “critical” vulnerability was discovered, I would expect that the RDP owner would be intimately involved with coordinating the response through to conclusion and it may take considerable time for that to occur.

1 Like

Granted. but really what would that entail? 'rdpOwner" would pass the info to ‘engineering’ (or similar as appropriate)
and maybe discuss amount for the reporter, and then goes back to reporter and makes payment. (or would there be a delay of payment to ensure silence on the reporters part? or partial up front,good faith, and then a final at the end?)

a few questions that may or may not have answers:

What would a similarly experienced person to come into the dao to manage this program cost per year? If MNH was on the higher end of experience could it be safe to say, it’d be about the same as what his salary was? Or would it be less due to them just managing this program?

What is the time frame for needing to get them an answer? are their prices locked in for a bit? is it worth searching for an individual to handle this internally in the dao?

oh, with using a 3rd party, the $ might already be set, just need agreed upon. not having to deal with the Reporter directly. Trying to set the idea of what entails in my mind.

1 Like

Thanks for the questions!

  • If someone was to come in to the DAO just as a program manager, without really any additional expertise in security I think you are looking at compensation between 100-200k / yr depending on experience. They wouldn’t be able to validate disclosures without more technical and security expertise and the RDP alone isn’t a full time role.

  • No timeframe. I think the bigger impetus for the DAO to move forward is there is a significant drain of time currently since each disclosure is being handled without an owner or a clear budget. There are ad-hoc discussions taking place about validating disclosures, how to respond, where pay outs will come from, etc. This all wastes time of our work streams that right now don’t have a process in place and aren’t really staffed to.

I do not know what the right compensation for the Owner of this would be, but I do think hackenproof is very reasonable at 1200 USD/month.

1 Like

I might be willing to become involved as the owner, not sure if conversation with interested parties has already began.

1 Like

Awesome, thanks for putting your hat in the ring.

It sounds like @Tyler maybe interested in taking this in house as part of the operations workstream mandate as well.

1 Like

Thanks for the thoughtful response. I figured it’s worth discussing the expense and seeing if there’s interest in the house before going outside.

1 Like

Notes from governance call -

  • add contract terms for hackenproof (month to month)
  • add note about how it would work if bounty payout should exceed the 60k/yr.

Hackenproof. (the 1200/m one) sounds like the best option to me. Thanks for doing this legwork!

2 Likes

This has been moved to ideation here

Thanks for all the feedback!

1 Like