[bisq-network/proposals] [WIP] Establish security team and lead (#225)

Florian Reimair notifications at github.com
Wed May 20 13:44:30 UTC 2020

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

Following the [recent decision](https://github.com/bisq-network/admin/issues/75) on creating a security team, I [stepped up](https://github.com/bisq-network/admin/issues/75#issuecomment-621148410) in driving the efforts forward.

### What happened so far?

Following the [project's](https://github.com/bisq-network/projects/issues/33) rationale, I did some preparations ([deck](https://docs.google.com/presentation/d/1ft_01jRdFI2w6H9KdAtl3Oxmkg-NRbWeOWmAGVYJ7ss/edit#slide=id.g6db4639ca5_0_83), [kick-off call agenda](https://docs.google.com/document/d/1PbnUwQUWfGEy0yunZ_XHNtu6acBNWDPzAnOSslE0xAw/edit), held a kick-off call). Neither the [project](https://github.com/bisq-network/projects/issues/33) nor the [kick-off call agenda](https://docs.google.com/document/d/1PbnUwQUWfGEy0yunZ_XHNtu6acBNWDPzAnOSslE0xAw/edit) received any comments indicating that something is wrong or should be improved. The kick-off call has been held on 2020-05-14 and has been joined by @cbeams, @sqrrm, @m52go and although crippled by a very bad internet connection, also by @stejbac. The other members of the keybase security subteam @ripcurl and @wiz did not join. The call loosely agreed on reserving budget for security-related efforts, however, the only agenda proposed has at one point been referred to as being “too much” while at another time is has been referred to as not being detailed enough.

### Next?

Since there have not been any other guys stepping up and no other agendas have been proposed ([the one created](https://github.com/bisq-network/admin/issues/75) by the team leads and posted by @cbeam clearly states, that it is only there to get the ball rolling), there is only one candidate agenda anyways so I intend to go forward with what we have. Therefore, following the preparations, here is the official proposal to be submitted to and voted on by the Bisq DAO.

### IMHO

Bisq is in need for love when it comes to security. A security team with budget can go a long way. I suggest to at least give it a try. If it fails, we can revert everything.

# Proposal

I propose to establish a security team and team lead to establish security as a permanent focus of Bisq - just like the support and ops and growth teams do in their realm. To be save, add in a 2 cycle review period - if the setup fails to deliver, revoke it in a controlled manner.

#### Basics
- the security team is a team similar to dev/ops/support and growth
- the team lead has similar duties than the leaders of dev/ops/support and growth
- the security team has budget, shift 15% (= USD 4350,00 per cycle) of dev budget to the security team to begin with
- do a trial run, see how it works, revoke if unsuccessful

#### The duties and responsibilities of the security team are
 - firefighting
 - find attack vectors
 - design counter strategies
 - act as a think-tank, consortium and knowledge base for security-related stuff
 - no feature implementation work, because that is either dev or ops.

#### The duties and responsibilities of the security officer are
- maintaining and driving a moving target agenda
- budgeting security projects
- hold project reviews on new projects and keep track of ongoing projects

#### The authority of the security team and its team lead are
- by having a team similar to dev/ops/support and growth, the security team already has adequate authority in terms of prioritizing projects

#### How does it fit within the DAO

- security is hard, it may not be reasonable to leave that to the general public in terms of response time, commitment and expertise (of course the team is open for anything if it fits the time frame and expertise).
- Let the DAO decide on the definitions of the security team (duties, responsibilities, authority), the team agenda and revisions of all of the above
- Spare the DAO the efforts of having to micromanage every single effort the team is up to, follow the proven concept of self-driven units
- basically, follow the concepts already established by the dev/ops/support and growth teams.
- all of the above is done by putting this proposal up for voting.

#### Evaluate and revoke

- do a trial run for 2 cycles (until and including cycle 15)
- review success, revoke the security team if unsuccessful. Success criteria is
  - grant a two week warm up time
  - given Bisq's global project management process has started 7 (non-management only) projects in 4 months and 0 of them delivered: start 2 projects, deliver 1 until the end of the trial run
  - use at least 50% of its budget (ie. 50% of (USD 4350,00 * 2 cycles = USD 8700,00) = USD 4350,00)
  - one project review session can be missed due to unforeseen situations
  - have a more detailed agenda

#### Security team lead

- @freimair

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20200520/8b88d991/attachment-0001.html>

More information about the bisq-github mailing list