Establish security team and team lead

[freimair]

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

Following the recent decision on creating a security team, I stepped up in driving the efforts forward.

What happened so far?

Following the project's rationale, I did some preparations (deck, kick-off call agenda, held a kick-off call). Neither the project nor the kick-off call agenda received any comments indicating that something is wrong or should be improved. The kick-off call has been held on 2020-05-14 and has been joined by @cbeams, @sqrrm, @m52go and although crippled by a very bad internet connection, also by @stejbac. The other members of the keybase security subteam @ripcurl and @wiz did not join. The call loosely agreed on reserving budget for security-related efforts, however, the only agenda proposed has at one point been referred to as being “too much” while at another time is has been referred to as not being detailed enough.

Next?

Since there have not been any other guys stepping up and no other agendas have been proposed (the one created by the team leads and posted by @cbeam clearly states, that it is only there to get the ball rolling), there is only one candidate agenda anyways so I intend to go forward with what we have. Therefore, following the preparations, here is the official proposal to be submitted to and voted on by the Bisq DAO.

IMHO

Bisq is in need for love when it comes to security. A security team with budget can go a long way. I suggest to at least give it a try. If it fails, we can revert everything.

Proposal

I propose to establish a security team and team lead to establish security as a permanent focus of Bisq - just like the support and ops and growth teams do in their realm. To be save, add in a 2 cycle review period - if the setup fails to deliver, revoke it in a controlled manner.

Basics

• the security team is a team similar to dev/ops/support and growth
• the team lead has similar duties than the leaders of dev/ops/support and growth
• the security team has budget, shift 15% (= USD 4350,00 per cycle) of dev budget to the security team to begin with
• do a trial run, see how it works, revoke if unsuccessful

The duties and responsibilities of the security team are

• firefighting
• find attack vectors
• design counter strategies
• act as a think-tank, consortium and knowledge base for security-related stuff
• no feature implementation work, because that is either dev or ops.

The duties and responsibilities of the security officer are

• maintaining and driving a moving target agenda
• budgeting security projects
• hold project reviews on new projects and keep track of ongoing projects

The authority of the security team and its team lead are

• by having a team similar to dev/ops/support and growth, the security team already has adequate authority in terms of prioritizing projects

How does it fit within the DAO

• security is hard, it may not be reasonable to leave that to the general public in terms of response time, commitment and expertise (of course the team is open for anything if it fits the time frame and expertise).
• Let the DAO decide on the definitions of the security team (duties, responsibilities, authority), the team agenda and revisions of all of the above
• Spare the DAO the efforts of having to micromanage every single effort the team is up to, follow the proven concept of self-driven units
• basically, follow the concepts already established by the dev/ops/support and growth teams.
• all of the above is done by putting this proposal up for voting.

Evaluate and revoke

• do a trial run for 2 cycles (until and including cycle 15)
• review success, revoke the security team if unsuccessful. Success criteria is
  • grant a two week warm up time
  • given Bisq's global project management process has started 7 (non-management only) projects in 4 months and 0 of them delivered: start 2 projects, deliver 1 until the end of the trial run
  • use at least 50% of its budget (ie. 50% of (USD 4350,00 * 2 cycles = USD 8700,00) = USD 4350,00)
  • one project review session can be missed due to unforeseen situations
  • have a more detailed agenda

Security team lead

• @freimair

Preliminary Agenda

preliminary agenda

[cbeams]

This proposal was approved in cycle 13 voting, so the following tasks should be now be carried out:

• @cbeams to add @freimair to @bisq-network/team-leads GitHub team
• @cbeams to grant @freimair maintainer role in @bisq-network/security team
• @cbeams to add @freimair to @bisq.teamleads Keybase subteam
• @cbeams to grant @freimair admin status in @bisq.security Keybase subteam
• @freimair to add Security Team Lead issue in bisq-network/roles repository
  • follow suit with other team lead role issues
• @freimair to add Security Team Lead wiki page
  • follow suit with other team lead wiki pages

[cbeams]

Closing as approved now that all tasks in the comment above are complete. See bisq-network/roles#108.