View All Discussion

Polkadot Treasury-based private cybersecurity response solution

dothacks
4 years ago

With this proposal, we want to introduce a substrate pallet named SRC (Security Response Center) that enables usage of treasury funds to address cybersecurity issues in a more transparent, fair, and privacy-protected manner.

You can review the full proposal here. Please leave your comments! Thank you!

Comments (13)

4 years ago

Hello,

Thanks for your proposal and editing the description here. I would need your help to understand why the chain would need such a new feature. There are a few points I would like to mention as a start for our discussion.

do we really need this pallet ?

in other words, what does this pallet bring that current options don't?
Today, one may report a security issue publicly or privately. Today, proposals and tips or even bounties could be used to reward work.

any submitted data is public

Here I am concerned about potentially serious security issues. In this case, it would probably not be reported publicly at first, but responsibly reported and then only disclosed once a solution has been put in place.

onchain data is "forever"

While this statement is not 100% true (we could use a referendum or ask the council to vote about cleaning up some storage), we probably do not want to put too much transient data onchain and also not rely on a solution that requires what should be exceptional as part of the regular flow.

A security issue will likely be resolved (hopefully quickly). Once it is solved, having the information onchain does not bring much.

If the goal is for someone to prove the owenrship of the discovery, it can be done today by putting (for instance) an IPFS hash on chain in the form of a system.remark, The data itself would not even have to be disclosed yet but the finder can then prove later that (s)he made the discovery.

anonymity

Your proposal mentions anonymity. That's a very valid point.
What would prevent a whitehat today to:

  • create an anonymous account
  • contact 1..n Council Members of their choice (most have a verified identity including email, website, Element etc...)
  • encrypt/sign the data using PGP (for instance) or E2E room over Element to share the report and start the discussion, including their anonymous on-chain address for rewards if they apply

last thoughts

Finally, while I think having a security response center would be a GOOD thing, I am questionning whether it needs to be on-chain, and thus, in the form of a new pallet.

4 years ago

Having read the proposal I echo Chevdor's questions. This does not make immediate sense to me.

PleaseLogin to comment