Retainer for Ongoing Aragon Network Security Provider
AGP-37: Retainer for Ongoing Aragon Network Security Provider
We propose to continue our work securing the Aragon Network, on a retainer basis for a 6 month period, working with the entities responsible for developing aragonOS, Aragon apps, and other code of interest.
Address of the transfer recipient
Amount of the transfer
Number and frequency of transfers if recurring (enter “1” if only one payment will be made)
2 transfers of the amount above, payable every 3 months starting after ANV-02 has completed.
Purpose of the transfer
Description of Services
1. Iterative Security Review Services
In each 3 month period, we will allocate 5 weeks of 2 people "actively auditing". This may include smart contract auditing, penetration testing, application security review, or other intensive security review related work. We respectfully request a minimum of 2 weeks notice in advance of initiating an active audit phase.
If the full allocated time is not utilized in a given 3 month period, the difference will accumulate and carry over to another 3 month period. If Aragon One requires more time, we will charge the prorated fee in subsequent voting periods, or through the proposed ANSP Engagement Policy.
2. Secure Development Process Advisory Services
We will continue offering bi-weekly calls to assess and advise on the security of development processes, with the objective of enabling security, agility, and consistency in the release schedule.
The time allocation and advanced notice outlined above are not designed to add friction, or bureaucracy to our work with Aragon One or other teams. Between audit periods, we will continue to support, advise and engage with the Aragon One team. We understand that time estimation is difficult in software development, and we encourage caution over meeting arbitrary deadlines.
If a start date needs to be postponed, or something else needs to shift, we will make our best effort to accomodate. We currently have two excellent auditors working on Aragon. Under this retainer arrangement we will train up more excellent people on the Aragon codebase to make that kind of responsiveness possible.
We will also actively seek opportunities to enrich security knowledge and discussion across the entire Aragon Flock and community, and look forward to opportunities to work with other Flock groups.
We will engage with the community, to improve their awareness of security health in the Aragon Network by the following channels:
- Attendance in bi-weekly all-devs calls
- Monthly reporting on our activities and outcomes in the Aragon Forum
- Public reports on findings from each active audit phase
Fill out the following information for each individual team member who will be managing funds from this transfer:
Name: Maurelian PGP key fingerprint: DB2BA6DAA44C8330
Name: Goncalo Sa PGP key fingerprint: 7194D885E14F7E36
Copyright and related rights waived via CC0.