- I’d like to propose that the DAO create a Security workstream. ShapeShift US’s existing Security department provides a number of services that would be very nice to have a formalized structure for in the DAO, and I think that having a specific home in the DAO for proposals regarding these types of function is important.
But perhaps more importantly, a DAO is by its very nature exposed to a lot of technical risk, and many of these risks tend to trigger more rapidly than a DAO’s native governance cycle can handle. Incident response requires a group of knowledgeable security engineers that the community trusts to act as a contact point and coordinate sensitive tasks effectively, and having a formal Security workstream already set up ahead of time would go a long way towards that goal.
I envision the Security workstream having responsibility for:
Providing architecture and code review from an attacker mindset
- Auditing smart contract code, both internal and that of potential partners
- Advising on appropriate standards for the protection of sensitive information
- Verifying sensitive processes to assure no hanky-panky is involved (i.e. the airdrop eligibility list)
- Sponsoring active penetration tests
- Coordinating vulnerability disclosures and incident response
- Helping protect Foxes against cyberattacks and scams
- Championing secure coding practices and a high standard of code quality
Specific proposals for executing these responsibilities will no doubt follow; I personally have a few I’m excited to get out there. That said, I feel that getting the infrastructure set up is the first order of business.
(Full disclosure: I’m on the existing Security team for ShapeShift US. That means I’m probably a bit biased on this subject – but I genuinely believe this proposal stands on its own merits, and while I’d love to have direct personal involvement I support this proposal even if that’s not the case.)