Polkadot Ecosystem vCISO Program w/Spearbit
TL;DR
0xTaylor is working with Spearbit/Cantina to bring an initiative that subsidizes the cost of a virtualized CISO for a limited number of parachain teams and top PBA graduates.
This program would fund 533 hours total for a vCISO offering by Spearbit with leading blockchain security experts. PBA top graduates would receive up to 128 hrs split amongst the winners and Polkadot parachain teams would draw from a bucket of 405 hrs.
Also, WTF is a vCISO?
A virtual Chief Information Security Officer (or sometimes called a fractionalized CISO) is a service provided by external security service providers to fulfill a leadership role in guiding security principles for early/medium maturity entities as a part-time/fill-in type offering.
Synopsis
The proposal seeks to subsidize vCISO services (architecture review/advisory, fuzzing/unit testing, threat modeling + risk assessment, etc) for the top Polkadot Blockchain Academy (PBA) participants and existing Parachain projects. Security is crucial for any project that utilizes on-chain assets or smart contract code. When a project is exploited or hacked, it erodes trust and reputation with the wider web3 community especially with retail and mainstream users. Traditional security reviews, private audits, and security services can be extremely expensive for projects, running upwards of USD $150K+ (much more in some cases).
We are seeking this effort for PBA projects and existing Parachains so that these projects can focus their efforts, resources, and capital on development and engineering initiatives and incentivize their continued engagement with Polkadot. Our vCISO services are catered towards projects that are in the beginning and middle stages of the software development lifecycle (SDLC) as vCISO is a good fit for projects that are not necessarily ready for a full-blown, detailed audit. Our vCISO services are a great option for projects that want to build with security at the forefront but aren’t necessarily ready to invest a lot of capital in a security review or audit. We believe this program is crucial for the DOT ecosystem and wider web3 ecosystem as it aims to assist in further securing individual protocols and the wider DOT ecosystem.
Spearbit/Cantina will provide all deliverables (upon protocol approval and work completion) for transparency and ROI purposes so that the community can ensure there is value being delivered. Spearbit/Cantina is also responsible for reporting back on milestones, updates, and progress thus far as the program continues through completion. All funds requested will be used for vCISO services for PBA winners, existing Parachains, and the admin costs associated with the scoped work.
The full proposal can be viewed here:
https://docs.google.com/document/d/11o1GZaE3Qw1KAW58OhXzMcc96Ydq7p7oOVYaeW5-UBY/edit?usp=sharing
For further information relating to this proposal, please don’t hesitate to contact:
Henry Shen (henry@spearbit.com)
0xTaylor (0xtaylor@chaosdao.org)
Comments (5)
Requested
Proposal Passed
Summary
0%
Aye
0%
Nay
Aye (64)0.0 DOT
Support0.0 DOT
Nay (19)0.0 DOT
If this is targeted to parachain teams the CISO should have a background that enables that person to properly assess the threat-landscape. After reading the Team description it seems like the team consist of mostly solidity people. Can you provide references to previous work/audits/write-ups/published vulnerabilities that reflect knowledge of Rust libraries such as substrate? The problem in web3 is that 1-2 years ago a lot of one-man bands started to become solidity auditors, which resulted in a lot of options for not so talented auditors. The merit of the auditor is based on previous work, published researched, published vulnerabilities by team or/and individual team members.
@rust_syndicate thanks for the comment and question. The people Spearbit has put forth for this program are more than capable of reading Rust code. Getting up to speed on Substrate will not be difficult for people of their caliber and expertise. I am also working with Spearbit to on-board at least 1 other expert with a background in Substrate but can't discuss further because it's still in the process. Additionally, they do have some talent that has a Substrate background, the list provided isn't exhaustive, it's just some of the heavy-hitters they have available for this program. If you think these guys are no talent one-man bands, you should dig into their backgrounds a bit more.
Beyond that though, the vCISO program is less about them getting deep in the code and more about the company/projects larger threat surface and architecture. The project can apply to PAL to get regular code audits done.
If you know of anyone who would be a good vCISO candidate to participate in this program, please have them reach out. I'd be happy to on-board them.
Taylor has already shown a lot of good things to contribute to the community, in my opinion we should support the proposal that could bring positive things to the ecosystem, so Aye
@Parachainboy thanks for the words of support! 🙏