Following the project's rationale, I did some preparations (deck, kick-off call agenda, held a kick-off call). Neither the project nor the kick-off call agenda received any comments indicating that something is wrong or should be improved. The kick-off call has been held on 2020-05-14 and has been joined by @cbeams, @sqrrm, @m52go and although crippled by a very bad internet connection, also by @stejbac. The other members of the keybase security subteam @ripcurl and @wiz did not join. The call loosely agreed on reserving budget for security-related efforts, however, the only agenda proposed has at one point been referred to as being “too much” while at another time is has been referred to as not being detailed enough.
Since there have not been any other guys stepping up and no other agendas have been proposed (the one created by the team leads and posted by @cbeam clearly states, that it is only there to get the ball rolling), there is only one candidate agenda anyways so I intend to go forward with what we have. Therefore, following the preparations, here is the official proposal to be submitted to and voted on by the Bisq DAO.
Bisq is in need for love when it comes to security. A security team with budget can go a long way. I suggest to at least give it a try. If it fails, we can revert everything.
I propose to establish a security team and team lead to establish security as a permanent focus of Bisq - just like the support and ops and growth teams do in their realm. To be save, add in a 2 cycle review period - if the setup fails to deliver, revoke it in a controlled manner.
the security team is a team similar to dev/ops/support and growth
the team lead has similar duties than the leaders of dev/ops/support and growth
the security team has budget, shift 15% (= USD 4350,00 per cycle) of dev budget to the security team to begin with
do a trial run, see how it works, revoke if unsuccessful
The duties and responsibilities of the security team are
find attack vectors
design counter strategies
act as a think-tank, consortium and knowledge base for security-related stuff
no feature implementation work, because that is either dev or ops.
The duties and responsibilities of the security officer are
maintaining and driving a moving target agenda
budgeting security projects
hold project reviews on new projects and keep track of ongoing projects
The authority of the security team and its team lead are
by having a team similar to dev/ops/support and growth, the security team already has adequate authority in terms of prioritizing projects
How does it fit within the DAO
security is hard, it may not be reasonable to leave that to the general public in terms of response time, commitment and expertise (of course the team is open for anything if it fits the time frame and expertise).
Let the DAO decide on the definitions of the security team (duties, responsibilities, authority), the team agenda and revisions of all of the above
Spare the DAO the efforts of having to micromanage every single effort the team is up to, follow the proven concept of self-driven units
basically, follow the concepts already established by the dev/ops/support and growth teams.
all of the above is done by putting this proposal up for voting.
Evaluate and revoke
do a trial run for 2 cycles (until and including cycle 15)
review success, revoke the security team if unsuccessful. Success criteria is
grant a two week warm up time
given Bisq's global project management process has started 7 (non-management only) projects in 4 months and 0 of them delivered: start 2 projects, deliver 1 until the end of the trial run
use at least 50% of its budget (ie. 50% of (USD 4350,00 * 2 cycles = USD 8700,00) = USD 4350,00)
one project review session can be missed due to unforeseen situations