AGP Discussion: Comprehensive Aragon Security Review Program

Description of desired Association policy change

This proposal is to expand the Aragon Security Review program to include all Nest and Flock projects. This will allow developers to focus on building thier applications. It will also allow the Aragon Association to build relationships with auditors, reducing time and money spent on security audits overall. This is essential for Aragon to be able to provide professional and trusted solutions for organizations on a global scale.

Aragon app developers (Nest or Flock) would be required to submit documentation along with a frozen codebase to the AA. At that point the AA would reveiw and, if satisfactory, hand off the project to a security partnet. The security partner would then review, present findings, and provie suggestions for improvement. The Aragon app developers would then need to incorporate all major and critical suggestions provided by the security partner before receiving their ANT bonus.

Motivation for changing this Association policy

Aragon is now shipping more apps through Autark, Aragon Black, and the Nest program. These apps are amazing and could unlock tons of value, but only if people use them…

People are wary of DAOs because of “the DAO” hack. For people to trust (and thus use) Aragon we need to go above and beyond to prove that the Aragon platform, and all major releases of Aragon apps, are secure. This is easier said than done.

  • Security audits are not perfect. Even with an audit all you know is what was reported. They might have missed something.
  • Security audits are highly technical and the process is opaque to people who are not involved in the Ethereum security commuinty.
  • Security audits are expensive. Having strategic and financial help to navigate that negotiation is extremely important!

Aragon is trying to attract talent and users. Having the worlds easiest to build on and most secure platform is a huge selling point. If developers see that they will have help shipping professional and production ready applications they are more likely to choose to build on Aragon vs other platforms. If users trust that all major Aragon apps are secure, they’re more likely to use them. To do this we need a multi layered approach to security. This can include audits for all major projects (Nest and Flock) as well as a comprehensive Bug Bounty program that covers all major apps. This is a small price to pay to establish credibility and trust in the Aragon platform and developer ecosystem.

AGP

The official AGP for this proposal can be found here.

note: there are 2 AGPs in the same PR, but this refers to the Security Review AGP

This proposed policy doesn’t currently have a budget. Is the intention that this would fall into AA discretionary spending?

As far as the policy change to extend the policy to all Flock/Nest teams, I think its totally reasonable to have anyone of those teams propose projects for audit, but I’m not sure we should operate under the assumption that every project should be audited immediately.

I think for things like updates to aragonOS, absolutely we need to do a comprehensive audit, for apps which are upgrading contracts that impact orgs that have sufficient adoptions, an audit is probably highly valuable. But for an app that hasn’t launched and may or may not be used heavily, I wonder if it makes sense to simply do an internal (cross-team audit/code-review) and wait to do a comprehensive audit till later?

The idea was that AA could negotiate with security partners to get a discount due to an ongoing relationship. Could be bulk pricing or having a security team on retainer. In the process of reaching out to security teams to ask about doing 1Hive audits I asked about bulk pricing and every security team either already has a program like this prepackaged or would be happy to negotiate terms.

This could be modified so that all Nest and Flock project could have the option for a security audit. Then there could be an APM registry for audited applications that have undergone a more stringent review process and those that have not. This would still help devs ship quality production ready code and inspire confidence in users.

This is also an option, but AFAIK we don’t have a program in place to do cross-team audits and/or code-review. Everyone (I’ve talked to) is over worked and spread to thin. This type of program could be a great addition to the ecosystem, but we would have to create the bandwidth and incentives to make it happen. That seems like another conversation for another AGP lol