Kick off the Bisq security team

[cbeams]

In the wake of the Apr 7th security incident, it's clear that we need to take our security practices to the next level. The following checklist captures what we've discussed and decided on so far, most recently in the Apr 23rd team leads call (#74).

• [x] Create a private bisq.security Keybase subteam where sensitive security related matters can be discussed responsibly
• [x] Create a private bisq-network/security GitHub repository where sensitive security issues can be tracked
• [x] Create a @bisq-network/security GitHub team for access control over the security repository
• [ ] Design a responsible disclosure process. This would probably include creating, e.g., a bisq-security@protonmail.com email address that is owned and checked regularly by someone playing a particular role (like security team lead). Disclosures coming into that address would be relayed to the bisq.security Keybase team and/or the security repository and triaged appropriately. This process should be documented on the wiki.
• [ ] Commission a security audit of the Bisq trading protocol. @stejbac has agreed to do the work of this effort, but the methodology needs to be laid out and an agreement needs to be made about how issues raised in that audit will be addressed. I would recommend that the audit is run as a project. A project board can be created at the org level or at the security repository level to track the issues that are raised during the audit.
• [ ] (Possibly) create a security bounty program. @ripcurlx had some links to other programs that might provide a template. I see this as the lowest priority thing that we need to do on this list, but others may have different opinions.
• [ ] Communications need to be put together announcing these new efforts and processes
• [ ] Someone needs to own and drive all of this happening. I'm capturing what we've discussed so far, and as GitHub / Keybase admin, I'm creating the necessary infrastructure, but I cannot lead the effort myself.

[cbeams]

The @bisq-network/security team has been created, consisting of the same members of the bisq.security Keybase subteam and having write access over the new bisq-network/security repository. You should all have gotten notified due to the mention in this comment. Please give a 👍 to indicate you did.

[cbeams]

Completing the checklist in this issue and closing it is not about fully carrying out the tasks enumerated, but rather making sure that each of them is "kicked off" in the form of a dedicated issue or project somewhere. If you're owning one of the items listed above, please just post a link to wherever that item is going to get managed going forward, and I'll check the box indicating that part of the kickoff is complete. Thanks.

[freimair]

(like security team lead)

I do not see any task in your enumeration to pick the contributor taking on this role. And there is no task that lets us assume that there will be some sort of "kick-off call" or a followup issue to this one.

That is kind of surprising, especially because security should be a core interest of the crypto-based high-money-volume thing called Bisq. Since every team has a lead but security, it seems that security is still not prioritized enough.

[cbeams]

I do not see any task in your enumeration to pick the contributor taking on this role.

I indicated this where I wrote

Someone needs to own and drive all of this happening.

I have put a checkbox next to this sentence to make it clear it's a task to find someone to do this.

there is no task that lets us assume that there will be some sort of "kick-off call" or a followup issue to this one.

Following up on this issue, i.e. bringing it to a close is covered in https://github.com/bisq-network/admin/issues/75#issuecomment-620096142.

Assigning a security team lead, having a follow-up call, etc., are all things I would expect the person who is going to drive this to do. I've put this issue together to get that ball rolling, but as I've made clear, I'm not going to be able to drive this. Someone needs to step up.

[ripcurlx]

I have put a checkbox next to this sentence to make it clear it's a task to find someone to do this.

@freimair Do you want to drive this initiative around Bisq's security efforts?

[freimair]

are you asking me to "drive the initiative" or to become the "security team lead"?

[ripcurlx]

are you asking me to "drive the initiative" or to become the "security team lead"?

As this is not about me to decide, I think that would be a great first agenda item for the initial call.

[freimair]

I am not familiar enough with the inner workings of the interim CEO and group leaders so I just have to ask:

• is there a list of nominees?
• if it is not the CEO and group leaders, whose decision is it then?

[cbeams]

interim CEO and group leaders

While the term "interim CEO" was floated during the idea phase before the Q1 update, the naming that we've landed on for this role is Admin Team Lead (bisq-network/roles#98). "group leaders" are "Team Leads" (@bisq-network/team-leads).

• is there a list of nominees?

No, but it should be someone from the @bisq-network/security team, which is itself subject to change.

• if it is not the CEO and group leaders, whose decision is it then?

We need people to raise their hands, discuss what this role needs to entail and come to a consensus about who it's going to be. If I had a super strong feeling about who it should be, I would have nominated someone. I don't, so I didn't. This is for us to figure out. No bureaucracy or process is going to solve this. If you want to help solve it, please do.

[freimair]

well, then I am going to follow @ripcurlx comment and make some efforts in driving this forward - ie. taking ownership of the last 2 bullet points (which should check the last one already if I am not mistaken):

• [ ] Communications need to be put together announcing these new efforts and processes
• [ ] Someone needs to own and drive all of this happening. I'm capturing what we've discussed so far, and as GitHub / Keybase admin, I'm creating the necessary infrastructure, but I cannot lead the effort myself.

I will think about how to pull this off and put together a preliminary agenda for an initial call and schedule such a call.

In the process of doing so, it might become necessary to align with team leads (as I have not been involved in the ramp up) so team leads, be prepared to receive a call from me.

[cd2357]

I see security bounties are on the list, but low prio.

I would actually suggest to reconsider that, since:

• it would be a one-time (low) effort to setup
• it would basically have an immediate and ongoing effect, from moment of launch into perpetuity

By that, I mean that as soon as the announcement is out (let's say "we offer X BTC bounty for whoever finds a security or protocol flaw in Bisq that can lead to users losing funds") => it would immediately create the incentive for people far and wide to work on that.

Secondary benefits include:

• some of the brightest minds in security work in bitcoin => it would get them curious + having them try to hack Bisq is an ongoing (free) sort of "security audit"
• it would help spread awareness about Bisq (helping with growth)
• it could be a good way to attract worthwhile contributors

Why do I suggest BTC and not BSQ as bounty reward? Beause only those who know Bisq know about BSQ, but everyone worth considering for this bounty knows and likely wants BTC. So it would massively reduce the effectiveness of the security bounty to offer BSQ rewards.

Where would the BTC come from? Depends what the DAO decides, but a couple scenarios I could imagine are:

• if it comes to it and a security bounty has to be paid out, a proportional amount of BSQ from every current bond is taken and converted to the necessary amount of BTC
• alternatively: the DAO could decide to setup a multisig BTC account which would hold such security bounty funds (key holders of the multisig = some key roles in DAO; by distributing ownership, legal questions about who is in charge of the money are also covered, cause no single person owns the funds).

Another idea could be: make it a voluntary, donation-based "pot" -- perhaps introduce an optional fee or donation checkbox in the popup of every trade, "tick this checkbox to donate X% of the trade amout to make Bisq more secure, click here for more details" -> that can link to a page with a detailed explanation, saying how:

• as more people donate and the bounty amount grows, hackers have more incentive to try to hack Bisq
• this makes Bisq more secure, beacuse issues are found and fixed early
• as the pot grows, this attracts bigger and more sophisticated attacks
• which proves Bisq is more secure, thus attracting more people, some of who will donate to make it even more secure -> virtuous cycle

I would definitely donate some percent of my trades for that :)

Anyway, the posible answers to "where would the BTC come from" are endless, cause BTC is after all programable money, and as long as the incentives align, there is a way to "program" a solution.

So to summarise, the security bounty idea appears low effort to kick off + very high impact + has a "virtuous cycle" self-reinforcing dynamic which grows with time => the sooner its kicked off, the better.

Therefore its probably worth prioritizing.

[cbeams]

Closing as superseded by @freimair's efforts at bisq-network/proposals#225 and elsewhere.