-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kick off the Bisq security team #75
Comments
The @bisq-network/security team has been created, consisting of the same members of the |
Completing the checklist in this issue and closing it is not about fully carrying out the tasks enumerated, but rather making sure that each of them is "kicked off" in the form of a dedicated issue or project somewhere. If you're owning one of the items listed above, please just post a link to wherever that item is going to get managed going forward, and I'll check the box indicating that part of the kickoff is complete. Thanks. |
I do not see any task in your enumeration to pick the contributor taking on this role. And there is no task that lets us assume that there will be some sort of "kick-off call" or a followup issue to this one. That is kind of surprising, especially because security should be a core interest of the crypto-based high-money-volume thing called Bisq. Since every team has a lead but security, it seems that security is still not prioritized enough. |
I indicated this where I wrote
I have put a checkbox next to this sentence to make it clear it's a task to find someone to do this.
Following up on this issue, i.e. bringing it to a close is covered in #75 (comment). Assigning a security team lead, having a follow-up call, etc., are all things I would expect the person who is going to drive this to do. I've put this issue together to get that ball rolling, but as I've made clear, I'm not going to be able to drive this. Someone needs to step up. |
@freimair Do you want to drive this initiative around Bisq's security efforts? |
are you asking me to "drive the initiative" or to become the "security team lead"? |
As this is not about me to decide, I think that would be a great first agenda item for the initial call. |
I am not familiar enough with the inner workings of the interim CEO and group leaders so I just have to ask:
|
While the term "interim CEO" was floated during the idea phase before the Q1 update, the naming that we've landed on for this role is Admin Team Lead (bisq-network/roles#98). "group leaders" are "Team Leads" (@bisq-network/team-leads).
No, but it should be someone from the @bisq-network/security team, which is itself subject to change.
We need people to raise their hands, discuss what this role needs to entail and come to a consensus about who it's going to be. If I had a super strong feeling about who it should be, I would have nominated someone. I don't, so I didn't. This is for us to figure out. No bureaucracy or process is going to solve this. If you want to help solve it, please do. |
well, then I am going to follow @ripcurlx comment and make some efforts in driving this forward - ie. taking ownership of the last 2 bullet points (which should check the last one already if I am not mistaken):
I will think about how to pull this off and put together a preliminary agenda for an initial call and schedule such a call. In the process of doing so, it might become necessary to align with team leads (as I have not been involved in the ramp up) so team leads, be prepared to receive a call from me. |
I see security bounties are on the list, but low prio. I would actually suggest to reconsider that, since:
By that, I mean that as soon as the announcement is out (let's say "we offer X BTC bounty for whoever finds a security or protocol flaw in Bisq that can lead to users losing funds") => it would immediately create the incentive for people far and wide to work on that. Secondary benefits include:
Why do I suggest BTC and not BSQ as bounty reward? Beause only those who know Bisq know about BSQ, but everyone worth considering for this bounty knows and likely wants BTC. So it would massively reduce the effectiveness of the security bounty to offer BSQ rewards. Where would the BTC come from? Depends what the DAO decides, but a couple scenarios I could imagine are:
Another idea could be: make it a voluntary, donation-based "pot" -- perhaps introduce an optional fee or donation checkbox in the popup of every trade, "tick this checkbox to donate X% of the trade amout to make Bisq more secure, click here for more details" -> that can link to a page with a detailed explanation, saying how:
I would definitely donate some percent of my trades for that :) Anyway, the posible answers to "where would the BTC come from" are endless, cause BTC is after all programable money, and as long as the incentives align, there is a way to "program" a solution. So to summarise, the security bounty idea appears low effort to kick off + very high impact + has a "virtuous cycle" self-reinforcing dynamic which grows with time => the sooner its kicked off, the better. Therefore its probably worth prioritizing. |
Closing as superseded by @freimair's efforts at bisq-network/proposals#225 and elsewhere. |
In the wake of the Apr 7th security incident, it's clear that we need to take our security practices to the next level. The following checklist captures what we've discussed and decided on so far, most recently in the Apr 23rd team leads call (#74).
The text was updated successfully, but these errors were encountered: