dhive
[Ideation] [SCP-104] Outsource the DAO’s Responsible Disclosure Program to HackenProof

[Ideation] [SCP-104] Outsource the DAO’s Responsible Disclosure Program to HackenProof

avatar
ShapeShift by 0xe9039a93D0D4994d79224E6E11749163440a4a83 on
September 6, 2022, 6:13 PM

AboutVotersAnalytics

Summary

In the absence of a Security Workstream the DAO's Responsible Disclosure Program (RDP) created in SCP-46 needs a sustainable path forward to ensure we incentivize security researchers to disclose vulnerabilities that may adversely affect the DAO, token holders, or our community. HackenProof provides an affordable, easy to administer, crypto native platform that can fulfill our current needs for a monthly fee of $1,200 USD + 10% of bounty payouts. If passed this proposal would establish a budget of 75,000 USD/yr for the ongoing administration of the program in addition to bounty payments.

Motivation

Shapeshift has a long history of taking security seriously. @MrNerdHair established the DAO's RDP in [SCP-46] that is currently without a clear owner or budget after the expiration of the security workstream. In order to continue this program it requires an owner responsible for its administration within the DAO, a budget, and resourcing to ensure its success.

Specification

If passed this proposal would enact the following:

  1. Extend the mandate of the Operations Workstream to become the owner of the Responsible Disclosure Program
  2. Establish a budget of 75,000 USD/yr that includes 15,000 USD/yr for on-boarding the DAO to HackenProof and a reserve of up to 60,000 USD/yr for potential RDP payouts. In the event that a disclosure warranted payout beyond this budget, a proposal would be needed to extend the budget beyond this amount.

HackenProof

HackenProof provides a simple interface that can be accessed by any number of DAO members. Additionally, they accept crypto for payment of their fees and payouts to researchers. They are willing to on-board the DAO directly, without an intermediary (IE the foundation). The agreement with them is month-to-month and in the event a new security work-stream is formed, they will have the ability to modify the proposed program.

Below are some screenshots of their interface:

Screen Shot 2022-08-31 at 8.00.44 AM|690x442

Screen Shot 2022-08-31 at 8.01.06 AM|690x333

Screen Shot 2022-08-31 at 8.01.32 AM|690x469

The Operations Workstream as owner of this program would be responsible for:

  1. Setting up and continual maintenance of the RDP in HackenProof
  2. Primary point of contact post triage for new disclosures from HackenProof
  3. Coordinate with DAO workstream's to mitigate open disclosures
  4. Discretion to determine pay out amounts based on inputs from HackenProof
  5. Ensure sufficient funds are allocated to HackenProof's wallets for ongoing maintenance and bounty payouts.
  6. Updating and maintaining all external facing documentation regarding the RDP
  7. Assist the Support workstream to funnel all disclosures to HackenProof for intake.
  8. Reporting program updates back to the DAO community.

Benefits

  • Clear owner of the DAO's Responsible Disclosure Program
  • Outsourced administration for triage process to top tier firm used widely in the industry.
  • Continues Shapeshift culture regarding the importance of Security.

Drawbacks

  • 75,000 USD/yr in expenses (~15k to HackenProof, ~60k reserves for potential bounty payout)

Snapshot Poll To Follow.

Warning
Exercise caution when exploring DAO proposals. Proposals can be submitted by any member of the community so there's an inherent risk of encountering scams or deceptive links. Always critically assess the validity of each proposal and its links before taking action.
start
September 6, 2022
6:02 PM
end
September 13, 2022
2:00 AM

Voting
off-chain
Voting type
single-choice
Voters
79
Votes
2,492,318

Final Votes
closed
Yes
2.5M FOX
100%
No
5 FOX
0%