Security Workstream Proposal

• I propose that the DAO create a Security workstream. This workstream would be available to host security-related proposals generally, and would have the following specific responsibilities:

  Providing architecture and code review from an attacker mindset

• Auditing smart contract code, both internal and that of potential partners
• Advising on appropriate standards for the protection of sensitive information
• Verifying sensitive processes to assure no hanky-panky is involved (i.e. airdrop eligibility lists)
• Sponsoring active penetration tests
• Coordinating vulnerability disclosures and incident response
• Helping protect Foxes against cyberattacks and scams
• Championing secure coding practices and a high standard of code quality

In addition, as ShapeShift US winds down, its Responsible Disclosure Program will be going with it; the Security workstream will have the responsibility of designing a proposal for the DAO’s own bug bounty program going forward.

No funding is requested at this stage; going forward, individual proposals will be brought at a later stage to fund specific initiatives, including any personnel requirements, and containing performance standards as applicable.

(For context, ShapeShift US’s Security department operates on a budget in the 5-figure-per-month range. I anticipate that the DAO’s Security workstream will likely have somewhat less in the way of systems expenses and somewhat more in the way of people expenses, but hopefully this is useful at least as a ballpark figure so that voters know what they’re getting into.)

I’m a Software Security Engineer in the current ShapeShift US Security department, and in light of the positive feedback received here, I’d like to volunteer to be the initial workstream leader.

It’s important that this workstream have a group of knowledgeable security engineers that the community trusts to coordinate sensitive tasks effectively, and a degree of continuity with the existing centralized infrastructure should help enable that trust. And while I can’t speak directly for my Security colleagues, I do believe that several of them will be joining us on this exciting but uncertain decentralized voyage, and I expect that they may also find their natural place in this workstream.

I’ll be leaving ShapeShift US’s employment at the end of the year. While I’m still on their payroll, I don’t intend to ask to be compensated for this role; afterwards, however, I do anticipate it being a paid position. (For the avoidance of doubt, I do also hope to make paid contributions to other workstreams as opportunities presents themselves.)

Awesome idea, makes auditing a much less of a hassle when you when have a dedicated team. Maybe also funding for bug bounties/etc?

Glad to see this moving forward, will definitely support you as initial security workstream leader ! You have my vote for this.

I definitely see this workstream as hosting a bug bounty program in the future. In the short term, ShapeShift US will continue to operate its own Responsible Disclosure Program, so we’re not under time pressure to come up with a replacement immediately.

We’ve learned a lot from running a centralized program like that, and several of us in the centralized Security department have been whiteboarding a way to design and run a bug bounty program in a truly decentralized way. There are also centralized or semi-centralized options like HackerOne or Immunefi, but my feeling is that this is one of those things you really want to get right and I’m very glad to have the extra breathing room to do the R&D work to see if the fully-decentralized setup we’re envisioning will be practical.

Thanks , I support this workstream and support you as initial workstream leader. It’s been a pleasure working with you at centralized ShapeShift and I look forward to continuing to work with you at the DAO.

I’ve moved this on to Ideation!