InfoSec Team Season 3 Budget proposal

Program Name: BanklessDAO Information Security Team
Program Champion: BogDrakonov#1337 | bogdrakonov.eth
Multisig Wallet Address: 0x35201Cb23590bF72457F2E4Ee36D1BfeA3E7aa41
Meeting Discussions: InfoSec Meetings are held Mondays at 8pm EST

Program Justification

BanklessDAO members and crypto users as a whole have suffered many personal security breaches of their wallets, accounts, and other resources. Now BanklessDAO has been attacked directly with a Discord Nitro phishing campaign. It is clear that BanklessDAO needs an InfoSec team to not only manage and secure BanklessDAO’s IT resources, but also to educate DAO members about general security best practices on an ongoing basis.

The success of the InfoSec team will be measurable by a few key points:

• BanklessDAO members, contributors, and guests gain an overall better understanding of how to stay safe online, and how to remain safe when transacting on EVM-based networks.
• BanklessDAO remains secure against data breaches, attacks, vandalism, and theft/fraud.
• Educational programs and content around information security, resulting in peer to peer education amongst Discord members, and the wider Bankless community
• Deployment and management of security tooling results in a better view of BanklessDAO’s security posture

Program Terms

The BanklessDAO InfoSec team is cross-functional in nature, as information security is everyone’s responsibility. The InfoSec team will be situated under the Dev Guild alongside DevOps. We will collaborate heavily with DevOps, the Ops Guild, and DAO administration regarding various team functions, which include:

• Gatekeeping access and evaluating Principle of Least Privilege across the DAO.
• Monitoring and alerting on critical systems where an intrusion would publicly harm the DAO (ie: defaced websites, DEGEN infrastructure takeover, email spam from @bankless.community addresses, etc…)
• Help with improvements to onboarding new DAO members, and the DAO-curious to proper personal operational security (OpSec) around protecting your accounts and assets. (ie: First quest security tasks, easy to follow guides and educational material, newsletter and Medium content)
• Collaborate with DevOps on infrastructure decision making to keep a “Security First” mindset without getting in the way of work
• Collaborate with the Writers Guild and EPA to develop and publish content both in bDAO’s Weekly Rollup and on its Medium page. At least initially, there would be a regular InfoSec or OpSec column to provide a forum to educate DAO members on best practices in the Weekly rollup.

Infrastructure Costs

BanklessDAO InfoSec Team Costs

Team Compensation

The following DAO members are available to be a part of the InfoSec team during initial formation and will be compensated for the roles and rates both listed below:

• InfoSec Team Coordinator - BogDrakonov#1337 - 120k BANK
  • Facilitate weekly discussions and meetings
  • Manage team direction and coordination
  • Manage project priorities and triage incoming help requests
  • Work on project missions
  • Office hours where I am active in voice chat at my desk for 1:1 sessions, receiving reports, educating users, or just general InfoSec discussions with whoever joins.
• Google Workspace/GitHub Management - 100k BANK
  • Take this role over from DevOps freeing up their budget for more infrastructure-related work.
  • Add Google Workspace to the list of services to manage access for
  • Two InfoSec team members will oversee GitHub Organization and Google Workspace management and split the work/payment evenly
• InfoSec Educational Program - 30k BANK (Edit: lowered from 100k)
  • Create and maintain an educational InfoSec website for BanklessDAO
    • This will include working alongside the Newsletter Team to deliver bite-sized security-related content in the Weekly Rollup on a weekly basis
    • Partnering with the EPA to produce security-related content as it applies to both Web3 and the Web2 communities that support it (protocols and DAOs that exist on Discord, Twitter, etc)
    • Get some basic InfoSec starter guides in to first quest
  • Documentation for best practices on wallet security, 2FA, and other security hardening topics
  • Run a phishing campaign against the DAO
• Discord Moderation Bot Project - 70k
  • Define requirements documentation by seeking input from Discord admins/mods and DAO higher ups
  • Evaluate existing mod bot products (Wickbot/MEE6/etc…)
  • Evaluate the effort in building a bespoke bot
  • Decide between existing products and bespoke
  • Implement the decision with the aid of the server owner.
• General Team Bounties - 10k BANK per season (not including tips)
  • One off tickets for other teams
  • Any additional non-scoped work
  • Note taking during meetings, documentation, etc…
  • InfoSec POAPs design & release

Total: 330k BANK (Edit: Lowered from 400k)

Initial Team

• BogDrakonov#1337 - InfoSec Team Lead/Coordinator
• Dysan#6547 - Google Workspace/GitHub Management and team POAP master
• d0wnlore#1050 - InfoSec Education Coordinator
• Texas Farmer#2662 - InfoSec Educator

Do we fund the InfoSec Team for Season 3

While I support this overall initiative, the 100k education costs seem high when we already have precedents for what you are creating. Newsletters would be 1000 bank per week for a short piece, EPA has budget to produce content (I think it is 8000 bank each), how many pieces are you going to create? That leaves a lot left over for documentation and a phishing campaign. I am not sure what similar rates are for coordinators or GitHub management, but my guess is Dev Guild could produce reliable totals

We can definitely consider lowering the education budget. The goal is to have weekly entries in the DAO’s newsletter, and an information website containing the same topics, and guides further in depth at infosec.bankless.community or some similar URL.
As for the coordinator role I copied the DevOps budget there.

This is quite a necessary component for the DAO! I’m glad to incentivize this sort of action (and terrified of the Phishing results).

I’m curious what the moderation bot would do, can you provide some additional insight there?

Agree with Siddhearta as well that education budget could be drawn from existing programs; let’s pull on that thread.

Also, given the cap on Discord channels, where would infosec channel live?

I’m going to reduce the education budget a significant amount down to 30k BANK to cover setting up the infosec website and maintaining it, since existing programs can pay for the content.

The InfoSec channels live right below the DEGEN section and have already been created by nonsense for us.

As for the moderation bot, we’re going to evaluate typical moderation configurations such as spammy posts (ex: 100 emojis and nothing else) as well as suspicious links and mass posting. So for example, if we had the bot during that phishing attack, the bot would see the users posting the same content in different channels, delete all the messages and mute those users in all channels. They’d be required to DM a server moderator/admin to get the mute status removed so they can post again.

Does this mean we’d have a BanklessDAO google docs?

This could be a viable product on its own for other DAOs I imagine. Do you see that as a possibility? It could be a proposal in its own right if you want to keep that in your back pocket.

In theory yes, but at $6/user/month users would need to give a use case for an account and it would come out of their guild’s/project’s budget.

We could make this a DAO product for sure. I was debating doing it in python to try and make it extensible and also allow it to manage GitHub permissions

“Taking over” is perhaps the wrong term. We would not be removing anyone from GitHub admin, but providing guidance on security and management of GitHub, and similar centralized services as these web2 services will require web2 InfoSec experience. InfoSec and DevOps will work together like peanut butter & jelly, and I personally will be in every DevOps meeting, and remain a member of the DevOps team as well as run this team.

I’m fine with keeping the GitHub funding under DevOps for S3 if you’ve already been funded.

Sadly the forum is not letting me reduce the BANK to reflect GitHub is funded by DevOps this season. Next season I’ll work with amaredeus to decide how to split that budget and labor between the two teams prior to either of us submitting proposals