Draft AGP for ANV-02: ANSP Engagement Policy


AGP: TBD
Title: ANSP Engagement Policy
Author: Alexander Wade
Status: Stage II
Track: Association
Created: 2019-04-08


Description of desired Association policy change

Proposed Change

Give the Aragon Association the discretionary authority to source security partners and procure their services outside of the Aragon network voting cycle.

This authority does not preclude the submission and execution of security partner proposals through the current AGP process. Rather, it creates a new, flexible avenue for security partners to provide services to the Aragon network on an as-needed basis.

Sourcing - The AA can source qualified teams or personnel to provide security services to the Aragon network.

Funding - The AA will work with security partners and Flock teams to fund mutually agreed upon security services.

Reporting - The AA will include spending on security services in the Quarterly Transparency Report. Security partners contracted through this discretionary authority will endeavor to produce public reports and summarizations of engagements regularly.

Signals for Sourcing

The AA should use the following signals to select security service providers:

  • Demonstration of relevant technical knowledge
  • Recommendations from Flock Teams
  • Recommendations from the Aragon community
  • Recommendations from existing security partners
  • Recommendations from members of the security community

Procurement Process

The following is an example of the process by which an engagement would occur for a typical security audit. For other types of engagements, the AA should endeavor to assess all requests from Flock teams and/or proposals from potential security partners on an as-needed basis.

  1. Flock team provides the ANSP(s) with finalized code and corresponding documentation
  2. ANSP produces a Statement of Work (SoW)
  3. AA and Flock teams review SoW and make revisions if needed
  4. Work between the ANSP and Flock team begins under the terms of the agreed-on SOW
  5. Upon completion, the ANSP will produce a public report summarizing the engagement

Reporting

The operations of any security partners should conform to Aragon’s norm of transparency.

  • The AA should include spending on security services in Quarterly Transparency Reports
  • Security review reports should be responsibly disclosed and archived on the Aragon Wiki
  • Security partners should endeavor to provide regular updates to the community on their engagements

Motivation for changing this Association policy

Security partner responsibilities rely heavily on the results of the Aragon Network Vote

Current and previous proposals to provide security services have made use of the Finance track for AGPs. This track requires the proposing party to provide the exact funding amount that will be needed and is the primary track used by Flock teams to fund development of their projects.

The goal of the ANSP relationship is to provide security services to Aragon Flock and Nest teams. The results of each Aragon Network Vote dictate which projects and teams have been funded, and which have not. For this reason, aspiring security partners are unable to make proposals that accurately reflect the services they will be providing.

Ongoing advisory is a new direction for Ethereum’s security firms

Unlike many Ethereum applications, aragonOS enables Aragon teams to improve their products with regular releases and upgrades continually. Securing these applications requires a very different approach than the widely-practiced “one-off audit” security model. Instead, Aragon projects will realize the most value from continuous review and advisory provided by experienced firms.

This trend towards continuous advisory does not exist in any significant capacity in the Ethereum security community. As the relationship matures between Aragon and its security partners, the dynamics of the relationship will be subject to considerable change. For security partners to provide the most value to Aragon, the short-term should prioritize flexibility.

The AGP process does not accomodate changing requirements and deadlines for security firms

Software development is an imprecise art and is frequently subject to delays as expectations and requirements change. Security audits can act as a catalyst for this change, uncovering unexpected problems that require additional work to fix (and subsequent further review).

As the AGP Finance track does not account for variance in deliverables or deadlines, discretionary authority by the AA must be utilized to ensure security partners can provide the resources required.


Goals for this policy

This policy is intended to be temporary and should be used according to the following:

  • Give teams the freedom to legitimately adapt, develop, and refine Aragon’s code review process
  • Lay the foundation for inclusion of on-chain governance into the code review process
  • Ensure ANSP code review deliverables can be tailored to the precise needs of the Aragon network
  • Ensure Flock teams can ship as safely and quickly as possible

License

Copyright and related rights waived via CC0.

6 Likes

This seems like a great idea and covers some of my concerns outlined in the other ANSP forum post!

Hope this goes through, I think it’s important to have the funding be more agile, especially when it comes to security and shipping code.

100% support this

Great, strong support for this proposal (which fwiw we reviewed and commented on last week), removes the need to add a deposit balance to the AGP I’ve drafted.

Thanks to Authio for driving this process!

1 Like

Glad to see support from both a Flock and AA member!

And yes - it was mentioned on the other post, but Diligence worked with us on this one. Thank you!

I see it just went up: https://github.com/aragon/AGPs/pull/43, thanks again for putting this together guys!

2 Likes

I’d like to understand a bit more the relationship between this AGP and AGP-37. If AGP-37 is rejected, but AGP-43 approved, would the AGP-37 proposal be rerouted through the new AGP-43 process?

I’m generally a fan of delegating the decision of security partners away from the AGP process as it seems like the technical nature of audits (and in particular rolling audits) are a bit difficult to assess on an individual basis. Additionally the quarterly cycle of AGP votes does not seem particularly conducive to being efficient/effective with this relationship.

1 Like