Title: Decentralization of Notion Permissions
Authors: @Kaidao#3125, @links#7868, @Above Average Joe#5427
Date: Dec 12, 2021

Summary

On Dec 1, 2021, Discord user @tauli#0941 brought up to the Operations Guild that the Mission, Vision, and Values page on Notion was changed by a white hat intruder. The intruder described the lack of Notion security, and showed a proof-of-concept of how this could be an issue - changing the address of a Bankless Multisig on a public page.

The pages were reverted, and the intruder has not yet contacted us.

We need to secure Bankless DAO’s Notion workspace. There are significant problems with our current permissive model of allowing anyone to edit any page within the workspace, including outside breaches and accidental deletions.

This proposed model will decentralize Notion permissions by re-ordering the underlying page structure, groups, and permissions. Each guild/project will have the ability (and responsibility) to set permissions and visibility for their Notion pages. This will give guilds and projects flexibility to manage their own documents and compartmentalize security breaches.

There will also be a team within the Operations Guild that will act as Notion administrators to administer all DAO-wide pages.

BACKGROUND

The Bankless DAO Notion workspace was recently hacked. The hacker changed the content on the Mission, Vision and Values, and more concerningly, the bank token address on the Gnosis Safe CSV Airdrop How-To document.

Notion security hasn’t been a priority, so there isn’t a DAO-wide policy yet. Notion includes some tools to help us solve this issue, including groups, pages, page groups, and permissions.

MISSION & VALUES ALIGNMENT

This proposal will help us refine our DAO tooling by further decentralizing our knowledge management model.

SPECIFICATION

Notion Workspace Changes

• Every single article on Notion will belong to either a specific guild/project or to the Notion administration team
  • Each guild/project will have their own Notion user group and page group
• DAO-wide articles will be managed by the Notion administration team
  • Examples: Meeting Notes, Meetings Calendar
  • Meeting notes will be held at the Guild/Project level, and linked to a top-level Meeting Notes page
• ALL permissions will be reset to read-only, except for the Guild and Project Coordinators, who will have full access to their pages. They are expected to set appropriate permissions for their respective guilds/projects.

Notion Administration

• A small group from the Ops Guild will be given administrative rights for the top-level Bankless DAO Notion workspace.
  • This group should consist of L2s only
  • The working group will be responsible for managing all DAO-wide documents
• A new role within the Ops Guild will be created: Notion Administrator (see Financial Implications for complete responsibilities).
  • The Notion Administrator will be responsible for remediation in the event of a security breach.

Guild-Level Administration

• Guild coordinators will have full access for guild page groups and user groups
  • Coordinators can delegate these permissions as they see fit
• Each guild will appoint individual(s) responsible for their area’s Notion administration: the Guild Notion Administrator
  • Guild Notion administrators will have full access for guild page groups and user groups, and responsibility for managing each (see Financial Implications for responsibilities)
• Default permissions for pages should be permissive for guild/project members and restrictive for non-members.

FINANCIAL IMPLICATIONS

Operations Guild Role: Notion Admin (5hrs/week)

• 65,000 BANK/season (5 hrs/week * 1000 BANK/hr * 13 wks/season)
  • BANK/hr is based on recommended compensation, and will be adjusted as the recommendation is updated
• Responsibilities:
  • Determine and document best practices for Notion permissions
  • Advise and support guilds on implementation of best practices
  • Review ongoing permissions and flag potential risks
  • Review pages within the global workspace and deal with any orphaned pages
  • Deal with any intrusions as they arrive
  • Back up the Notion site regularly

Guild roles: Guild Notion Administrators (1hr/week)

• 169,000 BANK/season (1 hr/week * 13 guilds * 13 wks/season * 1000 BANK/hr)
  • BANK/hr is based on recommended compensation, and will be adjusted as the recommendation is updated
• Responsibilities:
  • Manage Notion user group (i.e. add/remove users)
  • Manage Notion page group (i.e. permissions of pages)
  • Report and remediate intrusions with support from the Notion Administrator

Infrastructure costs

• Costs incurred for Notion seats are beyond the scope of this proposal, but guidelines for how many Notion members a guild can have will be determined (based on the size of the guild).
• ~$2USD/month (in Siacoin) to back up Notion on the decentralized Sia network: About renting on Sia - Sia Support Docs

BRAND USAGE

No brand usage required for this internal project.

SUCCESS METRICS OR KPIS

• Reduction in # of people with top-level Notion access
• # of distinct “permission compartments”, which reduces risks of future incursions

NEXT STEPS

• The proposal will be submitted for approval
• Select a (small) group of L2’s within the Operations Guild to have top-level Notion administration access
• Notion Administrator to be determined
• Follow steps in “Specification” to secure our Notion site

SQUAD BACKGROUND

@Kaidao#3125 is currently a technical product manager for a large retailer, specializing in their enterprise payments and checkout systems. He’s new to the DAO and web3 world, and motivated to learn more.

@links#7868 is an expert in new product development, having built several distributed startup teams and launching even more products in the last 14 years. He’s well-versed in team operations and technology, and believes strongly in distributed organizations.

@Above Average Joe#5427 currently handles billing for notion subscription.

POLL

Thank you for writing up this important proposal.
Notion is a great tool and as we approach Season 3, it’s a good time to take care of the information we have recorded there by ensuring access is limited to bDAO people.
Just quietly, I would be interested in the Notion admin role.

I second you for that role! Fits in nicely with some of your existing duties, and you’d be great for the job!

Well - thank God it was a white hat hacker and not otherwise. Thanks links for the proposal - and kudos too to Kaidao and AAJ.

Do you have an argument for just Ops Guild L2 members being part of the DAO-wide Notion Pages? Based on decentralization principles, just having one guild doing this work and just them choosing the person responsible is kinda counterintuitive because there is no conflict of interest to balance power. I think this role is of utter importance for all bDAO members and any L2 could take it, not just Ops Guild.

Then, salary is way too much for mere supervision and guidance. This is a position of trust, not a technical job where you need to have extensive knowledge. DAO’s notion coordination is fairly good most times and hacks being common when permissions get decentralized will be almost non-existent. Even more balanced will be having different L2 members of different guilds having a position of power into this issue and rotate them based on guild internal elections or general elections. Correct me if wrong, but I think we are overpaying for security.

I think it’s a good idea to have the Notion admins not be Ops-guild exclusive. I can see the argument for having this working group of administrators be a cross-guild group to make sure all voices are heard. I also think to your point, it aligns with the principles of decentralization. We briefly discussed having the individual guild Notion admins take on more responsibility, but we believed that having a central working group with specialized knowledge would be beneficial to multiple guilds. I’m not familiar with how to get this proposal change in front of others, but would love to hear more ideas here.

On the topic of salary, it seems that 1000BANK/hr is the recommendation going into Season 3 based on this: Onwards to Season 3!, but will be adjusted if the recommendation changes. 5 hours / week is fair for general Notion Admins (at least for this next season) as groundwork with security reviews, best practice documentation, and advisement will be required at the onset.

I’m actually not too worried about decentralization here. Notion administration falls under Ops Guild insofar as we manage the notion subscription and many notion admins are also ops guild admins.

There’s nothing stopping any member from joining the notion team. It’s just that the workstream gets housed under ops to make coordination and defined responsibilities easier.

cc @Kaidao

I think this proposal is a good idea because we need to add some layer of security to our notion pages. It’s something I’ve been worried about for a few months now.

I think this amount should go to the guilds instead of individuals. Each guild will most likely have multiple people who will most likely share the duties of adding or removing individuals.

Perhaps this is something we test and budget for in Season 3 coming out of Ops Guild and then move to individual guilds in Season 4?

I understand the concern, and definitely think it could be something we do in the future. Currently, the Ops Guild is the best set up to handle such a task and the barrier to entry to the Ops Guild is low - so any L2 can effectively be part of this by raising their hand in the guild. By giving projects/guilds complete control over their own domains, we’re still improving improving security with principles of decentralization, but we need to take action sooner rather than later on this, so we went with the expeditious route assuming we’ll further improve later.

I think the 5 hours a week will definitely get used in season 3. These are all new workflows, and they need to be ironed out, communicated with guilds/projects, refined, and documented so that we have a base to work from for future seasons. There are 13 guilds and at least twice as many projects - that’s a lot of communication burden! It could be lowered in future seasons once we get this baseline work done.

On the question of security, we’re talking about a very high-impact worst-case scenario. The hacker changed the Bankless Multisig…the multisig that contains our revenue. Could you imagine the 25 ETH from DAOpunks being routed to a hacker? It would be catastrophic. Having someone responsible for Notion security may seem expensive, but it’s insurance against worst-cases like this.

Thanks for the feedback, and I’d love to discuss more if you disagree.

Totally agree this should go to the guilds. In my mind it would be part of each guild’s seasonal budget as a required role (just like a coordinator and 3 multisig signers). That being said, most guilds have already submitted seasonal budgets, so I think @frogmonkee 's suggestion probably makes sense.

I’m not really well-versed in how seasonal funding works, so I’m probably not the best to answer the tactical details, but philosophically this should be part of guild budget.

Well thought out and well said.

100% support, it feels so vulnerable at the moment and all of our great effort in organizing and coordination is there.

This is super important. I had disliked the thought of sharing our user guide docs with every ransom person since any link gave them all full read/write access. I’d set up a temporary solution but this is great news! Strongly support this!

LOVE this proposal, very needed—I didn’t actually know that white hat hack occurred. Thank you for bringing this to the attention of the DAO.

I highlighted this section because this feels like it would fit under either 1. guild coordinator roles or 2. guild governance roles. I think rather than creating new guild roles, there could be a short training of some form for guild leaders so they can learn the best way to secure notion pages. I don’t foresee it requiring a TON of work, which is why I think it could be built into existing roles, but I’ve been wrong about workloads before!

Again, great proposal! This is SO very needed.

I feel like we are web 3 companies trying to squeeze ourselves into a web 2 world.

We should commission our dev guild to build a web 3 notion. Gated by tokens as well as NFTs. That would solve 99% of these problems. (Of course users still can be hacked. But hacking a wallet just to change a page seems like a stretch)

We’re also limited on resources though. Notion is an incredibly powerful tool that’s raised over 300M USD in funding. We can’t build Web3 versions of everything on principle. I’m sure a Web3 version of Notion will be created - same with Discord - and we can migrate.

Sounds like a great startup idea to look into!

resources is a function of time and money.

For what we do not have, we can make up with our media clout.

I’m sure issuing a thousand NFTs to do the seed funding to support something of this scale should be quite possible.

Just that as usual, we need good stewardship and leaders.

I’m confused by this part. Is this a recommendation for Guilds to ask this much more in a budget proposal? Or is the treasury automatically handing out this much money to pay for someone to take on this role?