I propose that the DAO establish a Responsible Disclosure Program to incentivize security researchers to test our products for vulnerabilities and report them in a way that helps us protect our users.
Disclosure Policy
As a DAO, all our code and systems are public, and we must assume that it’s only a matter of time before any vulnerability we receive a report about is discovered by the bad guys. Experience running the centralized RDP has also provided the valuable insight that hanging onto reports for too long presents serious record-keeping issues. Thus, I propose that the DAO’s RDP have an explicit 90-day disclosure policy, with all reports actively published after they are remediated, or after 90 days, whichever comes first.
Scope
This program will cover:
- Smart contract code developed by the DAO
- Smart contract code deployed by the DAO on-chain on a mainnet
- The specific projects hosted at the following GitHub repositories:
- shapeshift/web
- shapeshift/lib
- shapeshift/unchained
- shapeshift/hdwallet
- keepkey/keepkey-firmware
In addition, any software hosted under the ShapeShift or KeepKey GitHub Orgs or the @shapeshiftoss NPM Org will be eligible if it is a dependency of something in-scope.
Specification
NFT Hall of Fame
I propose that the DAO fund the creation of an NFT-based Hall of Fame on the xDai chain, and that recognition for a researcher’s contributions be provided in tokenized form.
- A security researcher who submits a valid report will receive an NFT, which will be locked for the duration of the RDP’s 90-day disclosure period. If the issue they’ve reported is later found to be invalid – or if they choose to disclose it publicly during the embargo period – the NFT will be revoked.
- The NFT will be unlocked automatically upon the expiration of the disclosure period, or earlier once the issue is remediated. Once unlocked, the NFT will pay to its holder a small, fixed bounty, as compensation for their effort in reporting the issue.
- The Bounty Committee will meet on a regular basis to evaluate all newly-remediated issues and assign bounties to them. Bounties will be paid out to the holder of the associated NFT. This will enable the researcher to “cash out” early, without needing to wait for the Bounty Committee, by selling their NFT. (Prospective buyers will likely be knowledgeable both about the issue's security impact and the DAO's bounty process, and who thus experience less risk by holding the asset than the researcher themselves.)
- The NFT’s metadata will include name and URL fields which the researcher may set and then lock. This ensures that they will retain the credit for their report, even if they do sell the NFT. (The DAO will retain the ability to override a locked NFT's metadata in case of the exercise of Godwin's Law or other exceptional circumstances.)
The Security Workstream will manage the issuance and revocation these NFTs.
Bounty Committee
A Bounty Committee will be established for the purpose of reviewing and assigning bounty values to remediated reports. This committee should have good technical and security credentials, but should also represent a cross-section of the DAO community. Its purpose is to avoid the potentially-problematic process of allocating a “budget” for bounties while providing confidence to the DAO that bounty funds will be well-allocated, as well as to provide assurance to security researchers and prospective holders of Hall of Fame NFTs that reports will receive serious consideration and fair awards.
(Bounty awards are necessarily more qualitative than quantitative, but I also feel that it would be wise for the Committee to publish some general guidelines on what general types of issues will be awarded at what general amounts.)
The Bounty Committee’s recommendations will be submitted to the DAO in the form of proposals to pay specific bounty amounts directly from the treasury to the holder of a specific Hall of Fame NFT. These bounty proposals may go directly to a vote, skipping the normal forum and ideation steps of the governance process. This will allow the DAO to retain operation oversight of the amounts awarded.
Considering the impact and complexity of vulnerabilities is highly-skilled and mentally-demanding work, and the members of the the Bounty Committee will need to do it regularly. As such, they will be paid on an hourly basis for their work meeting and scoring reports.
The Bounty Committee will always contain the current Security Workstream leader; In addition, I nominate @willyfox, @0xdef1cafe, @mperklin, @majorhayes, @adam, and @0xcean, for a starting size of 7 members.
De-minimis Bounties
All valid reports deserve some financial recognition, no matter how serious the issue is; there's real overhead associated with engaging with us and reporting responsibly. Researchers should be incentivized by a guaranteed payout to do that even if they're not sure how serious an issue might be, and the Bounty Committee should not feel obligated to burden the DAO with proposals to award bounties to very-low-impact reports.
The “de minimis” bounty is compensation for participating in the administrative overhead of the reporting process, as well as a good-will bonus. It will be the same for every issue irrespective of the issue’s impact or technical complexity; those factors will be considered by the Bounty Committee and may result in an additional award. It will be paid automatically upon remediation of the issue or expiry of the 90-day confidentiality period.
Bounty awards by the committee will be paid in FOX, but the de-minimis bounties will instead be paid in xDai. Paying in xDai avoids the need for an on-chain price oracle to ensure the consistent value of payouts, and also ensures that even researchers new to xDai or crypto entirely will have enough gas to work with after an award.
Budget
Development of Hall of Fame contract
The contract powering the NFT Hall of Fame will not be handling large amounts of money or any user funds, so it won't need the same level of paranoia as most DeFi smart contracts, and I don't see an external audit as an essential part of the process. The DAO should retain the ability to edit or censor NFT metadata, and shenanigans should be revertable. (I envision the Hall of Fame being deployed as an upgradable proxy owned by the DAO's Colony instance.)
OpenZeppelin has most of the infrastructure needed for development of a custom NFT contract like the Hall of Fame; I don't see this as a huge lift, but it will require development, and the work should be compensated. It would be a great choice for outsourcing via a Gitcoin bounty or something similar.
Upon passage of this proposal, $15,000 will be allotted to the Security Workstream for bounties related to the development of the Hall of Fame.
On-Call Rotation
The Security Workstream will run an on-call rotation to triage and respond to vulnerability reports. While subject to change as operationally indicated, this will initially take the form of week-long on-call slots.
On passage of this proposal, $26,000 will be allotted to the Security Workstream for coverage of the first 6 months of this duty. Workstream members on call may request reimbursement at the rate of $1000/week.
Software Licenses (i.e. ZenDesk)
Though we may transition to a different solution in the future, for the moment ZenDesk is a good fit for our needs. ZenDesk licenses are $150 per seat per month, and I anticipate that running a continuous on-call rotation will require a pool of at least four people.
Upon passage of this proposal, $2400 will be allotted to the Security Workstream at the rate of $600/month for the next 6 months. The Security Workstream will request renewal of this allocation as required via its ordinary budget process.
Bounty Committee
Bounty Committee members will be compensated at a rate of $150/hour. Committee member workloads are estimated to be around 2-4 hours per month.
Upon passage of this proposal, $25,200 will be allocated to the Security Workstream at the rate of $4200/month for the next 6 months. The Security Workstream will request renewal of this allocation as required via its ordinary budget process.
De-minimis Bounties
De-minimis bounties will be 200 xDAI. (The centralized org used $50, which in my opinion is much too low and attracts the wrong caliber of researcher.) I believe that $200 is a rate that will make researchers feel appreciated and encourage their further engagement with the DAO, which is one of the program's goals; there's an aspect of paying for talent, or at least to attract potential talent.
Upon passage of this proposal, 10,000 xDai will be allocated to the Security Workstream to fund these bounties; the Security Workstream will request any top-up funds required via its ordinary budget process.
Test funds / gas costs
Setup and administration of the Hall of Fame will require funds in xDai for testing and gas to make the calls necessary to operate the contract. Upon passage of this proposal, 1000 xDai will be allotted to the Security Workstream for use as general testing/gas funds. This will provide enough funds to perform full-scale testing and also cover the gas cost of operating the Hall of Fame contract for quite a while.
Voting
- Yes: Establish the RDP and allocate funds as described.
- No: Do nothing at this time.
