This amendment to the Security Auditing Department workflow is intended to establish a set of rules for accepting, approving and paying security audit requests at Callisto Network.
Motivation
Previously Callisto Team accepted any security audit requests and handled them free-of-charge by subsidizing the work of auditors from Treasury fund. Audits were processed in a continuous queue as auditors performed the work.
This model assumed that the audits are delivered in exchange for co-promotion and the general use case of Callisto as an independent security enhancement mechanism will boost its brand recognition and mass adoption.
The model had two main shortcomings:
Smart contract developers tend to use security audits as part of their marketing campaign, and they will not promote Callisto as their partner if the audit identifies critical errors that could damage the marketing of the audited project.
Processing a constant queue of the security audits is expensive and it may hurt the long term Callisto sustainability.
A new model of accepting audits is hereby proposed to address the flaws of the previous one and ensure a long term sustainability of Security Department.
Specification
Limited monthly free-of-charge auditing campaign
It is proposed to handle a limited number of security audit requests paid from Treasury. A fixed budget must be allocated for a monthly "free-of-charge audits" campaign. Then an audit request that gained the most traction must be performed for free while the rest of audit requests must be left with "on hold" status until these are processed on paid basis or gain more traction in the next months.
The recognition and traction of a security audit request should be measured by the amount of social activity associated with the public announcement of the audit request on any public social media platform (twitter/ reddit/ bitcointalk/ facebook). Project-specific forums do not count. Callisto Team reserves the right to approve any audit request for a free-of-charge auditing campaign with an internal decision in case social activity is falsified.
Paid security audits
Security audits not included in the list of free audits should be processed on a paid basis.
Priority
Payment formula
High
500 USD + (0.5 USD per line of code)
High priority audits are processed before any audits in the queue, except for the highest priority audits.
The security audit requester can further increase the priority of an audit request by negotiating a higher payment with the security auditing manager when submitting the audit request.
We accept ETH, ETC, CLO and EOS.
Any of Ethereum-based currencies (ETH, ETC or CLO) can be sent to this address 0x74682Fc32007aF0b6118F259cBe7bCCC21641600 as payment.
EOS can be sent to this address callistotokn as payment.
The payment amount will be calculated based on the exchange rate of the currency that was used for the payment (calculated at CoinMarketCap rate). The amount of payment depends on the length of the code of the auditable contract. Empty lines of code and comments can be excluded.
It is recommended to use SLOC counter to calculate the accurate amount of lines of code that require payment. The overpaid amount of CLO, ETH or ETC will be returned to the sender's address after the completion of the security audit. Highest priority audit requests are processed ahead of queue.
Security auditing fee
It is proposed to withhold a certain percentage of each audit request payment in order to fuel the sustainability of the platform.
Collected security auditing fees must be used to (1) market buy and burn CLO tokens and (2) payment of third party media representatives supporting the Callisto Network.
Example:
If a security auditing fee is set to 5% and 3% is paid to the third party media services then
95% of each audit request payment goes to security auditors salary pool
2% of each audit request payment is used to buy CLO tokens from the market and burn in a specific non-existing address
3% of each audit request payment is redistributed among third party collaborators of the project (media representatives helping Callisto Team to announce and push the results of the security audit)
This amendment to the Security Auditing Department workflow is intended to establish a set of rules for accepting, approving and paying security audit requests at Callisto Network.
Motivation
Previously Callisto Team accepted any security audit requests and handled them free-of-charge by subsidizing the work of auditors from Treasury fund. Audits were processed in a continuous queue as auditors performed the work.
This model assumed that the audits are delivered in exchange for co-promotion and the general use case of Callisto as an independent security enhancement mechanism will boost its brand recognition and mass adoption.
The model had two main shortcomings:
Smart contract developers tend to use security audits as part of their marketing campaign, and they will not promote Callisto as their partner if the audit identifies critical errors that could damage the marketing of the audited project.
Processing a constant queue of the security audits is expensive and it may hurt the long term Callisto sustainability.
A new model of accepting audits is hereby proposed to address the flaws of the previous one and ensure a long term sustainability of Security Department.
Specification
Limited monthly free-of-charge auditing campaign
It is proposed to handle a limited number of security audit requests paid from Treasury. A fixed budget must be allocated for a monthly "free-of-charge audits" campaign. Then an audit request that gained the most traction must be performed for free while the rest of audit requests must be left with "on hold" status until these are processed on paid basis or gain more traction in the next months.
The recognition and traction of a security audit request should be measured by the amount of social activity associated with the public announcement of the audit request on any public social media platform (twitter/ reddit/ bitcointalk/ facebook). Project-specific forums do not count. Callisto Team reserves the right to approve any audit request for a free-of-charge auditing campaign with an internal decision in case social activity is falsified.
Paid security audits
Security audits not included in the list of free audits should be processed on a paid basis.
High priority audits are processed before any audits in the queue, except for the highest priority audits.
The security audit requester can further increase the priority of an audit request by negotiating a higher payment with the security auditing manager when submitting the audit request.
We accept ETH, ETC, CLO and EOS.
Any of Ethereum-based currencies (ETH, ETC or CLO) can be sent to this address
0x74682Fc32007aF0b6118F259cBe7bCCC21641600
as payment.EOS can be sent to this address callistotokn as payment.
The payment amount will be calculated based on the exchange rate of the currency that was used for the payment (calculated at CoinMarketCap rate). The amount of payment depends on the length of the code of the auditable contract. Empty lines of code and comments can be excluded.
It is recommended to use SLOC counter to calculate the accurate amount of lines of code that require payment. The overpaid amount of CLO, ETH or ETC will be returned to the sender's address after the completion of the security audit. Highest priority audit requests are processed ahead of queue.
Security auditing fee
It is proposed to withhold a certain percentage of each audit request payment in order to fuel the sustainability of the platform.
Collected security auditing fees must be used to (1) market buy and burn CLO tokens and (2) payment of third party media representatives supporting the Callisto Network.
Example:
If a security auditing fee is set to 5% and 3% is paid to the third party media services then
95% of each audit request payment goes to security auditors salary pool
2% of each audit request payment is used to buy CLO tokens from the market and burn in a specific non-existing address
3% of each audit request payment is redistributed among third party collaborators of the project (media representatives helping Callisto Team to announce and push the results of the security audit)