Security Worksteam

I’d like to propose that the DAO create a Security workstream. ShapeShift US’s existing Security department provides a number of services that would be very nice to have a formalized structure for in the DAO, and I think that having a specific home in the DAO for proposals regarding these types of function is important.

But perhaps more importantly, a DAO is by its very nature exposed to a lot of technical risk, and many of these risks tend to trigger more rapidly than a DAO’s native governance cycle can handle. Incident response requires a group of knowledgeable security engineers that the community trusts to act as a contact point and coordinate sensitive tasks effectively, and having a formal Security workstream already set up ahead of time would go a long way towards that goal.

I envision the Security workstream having responsibility for:

  • Providing architecture and code review from an attacker mindset
  • Auditing smart contract code, both internal and that of potential partners
  • Advising on appropriate standards for the protection of sensitive information
  • Verifying sensitive processes to assure no hanky-panky is involved (i.e. the airdrop eligibility list)
  • Sponsoring active penetration tests
  • Coordinating vulnerability disclosures and incident response
  • Helping protect Foxes against cyberattacks and scams
  • Championing secure coding practices and a high standard of code quality

Specific proposals for executing these responsibilities will no doubt follow; I personally have a few I’m excited to get out there. That said, I feel that getting the infrastructure set up is the first order of business.

(Full disclosure: I’m on the existing Security team for ShapeShift US. That means I’m probably a bit biased on this subject – but I genuinely believe this proposal stands on its own merits, and while I’d love to have direct personal involvement I support this proposal even if that’s not the case.)

11 Likes

This is a no-brainer from my perspective, thank you for proposing it @MrNerdHair.

IMHO - the ShapeShift DAO should absolutely setup and fund a Security workstream.

4 Likes

I am all for you taking the reins on this, and second the no-brainer comment by @jonisjon

4 Likes

This an essential workstream. :+1:

4 Likes

Your on my list for all security related inquiries.

3 Likes

Cant express how important this is. Has my complete support as a community member. Security is not only ethical it generates marketing value on its own. Another thing, its a hard issue to talk about but a sad truth. Insider threats and potential risks in dealings with other projects are an unfortunate reality. Analysts with security knowledge and the inherent traits to recognize and show restraint and respect in finding related loopholes in the proposals of other projects is a function I believe fits the scope of this work stream.
(You hint at this in your proposal i just wanted to specify this since its the most common threat to any high value project.)

4 Likes

I also see and would express the value and importance of establishing this workstream. The essential need for security should go without saying and I am glad to see the support expressed so far. I agree that this creates additional value to the project and having a competent team that can present a transparent process in establishing infrastructure and process has my support.

2 Likes