Summary

Reconfirm @MrNerdHair as Security Workstream Leader, pay him $16,250/month for the first six months of 2022, and allocate $50,000 to the Security Workstream.

Abstract

@MrNerdHair has served as the Security Workstream leader since 9/2021, and was paid by ShapeShift US until the end of 2021. He has done a good job so far, and the DAO should continue this mutually beneficial relationship.

As the responsibilities of the Security Workstream expand, it will need funding to create bounties and compensate additional contributors; $50,000 is allocated for these purposes.

Motivation

The DAO's relationship with @MrNerdHair has been productive. Having an in-house, full-time, security-focused resource for software architecture, contract review, and engineering assistance is quite valuable and compensation of $16,250/month is commensurate with the compensation of other workstream leaders.

As the products of the DAO increase in complexity and become adopted by a wider user base, the Security Workstream's role will also grow. As its responsibilities expand beyond what can be comfortably handled by a single person, so will the need to incentivize contributions from outside contributors -- both from other workstreams and from outside the DAO completely. Since the role of Security is primarily to support the efforts of other workstreams, it's tricky to anticipate funding requirements in advance; therefore, a fixed-funding model is proposed, with each future funding request to include an accounting of previous expenditures and the value they have delivered to the DAO.

Specification

1. The ShapeShift DAO engages VulTech, LLC (@MrNerdHair's consulting company) to lead its Security Workstream and provide associated services for the six-month period between 1/1/2022 and 5/31/2022. VulTech, LLC will be compensated $97,500 in total, payable at a rate of $16,250 per month via the DAO's usual contributor payment scheduling and distribution mechanisms.

2. The DAO's Security Workstream will be allocated $50,000 as operating capital.

• The Workstream Leader will coordinate with TMDC to draw these funds into Colony as needed.
• These funds may be used to create bounties, compensate workstream contributors, and fulfill any of the Security Workstream's obligations not explicitly funded via other mechanisms.
• These funds may be used for on-chain testing or to reimburse gas fees.
• While reimbursements for specific expenses incurred on behalf of the DAO are allowed, VulTech, LLC and its employees (i.e., @MrNerdHair) may not receive bounties or additional compensation out of these funds.

3. By the end of the term, the Security Workstream will achieve the following goals:

• Continue to administer the Responsible Disclosure Program
• Be available to discuss Security best practices and provide architectural support for all DAO initiatives
• Provide security review for DAO products and partner integrations
• Implement a system for tracking security work and providing visibility into velocity and resource allocation
  • Track Security Initiatives (stuff that Security does on its own to accomplish its own objectives)
  • Track Workstream Support efforts (stuff that helps other workstreams accomplish their objectives) and enable other workstreams to reserve security resources for their needs
  • Stretch goal: use "story points" to develop KPIs around overall velocity

Benefits

• @MrNerdHair continues to provide a best-in-class security resource for the DAO
• Security begins growing its contributor base to support the DAO's increasing throughput
• Security remains flexible and focused on supporting the needs of other workstreams as they are discovered

Drawbacks

• Flexibility to respond to other workstreams' needs as they are discovered requires an essentially pre-paid workstream funding model, which in turn requires trust that funds will be spent wisely
• Without historical velocity data, non-qualitative KPIs can't meaningfully be set this term

Voting

• For: Pay @MrNerdHair $16,250/month for the first six months of 2022, and allocate $50,000 to the Security Workstream.
• Against: Do nothing.