Disclaimer: This is not a funding / top-up proposal. The transfer of 0.22 DOT is a mere “stamp of approval” of the changes proposed below.
Disclaimer 2: This referendum is posted under Treasurer track which is higher than the original track that created the bounty (High Spender)
PAL is a community-driven initiative that aims to make Polkadot a safer and more attractive place for both builders and users by allocating funds from the Polkadot treasury (bounty #22) to advance security in Rust / Polkadot SDK.
Since its creation, PAL has distributed 157,155 DOT to co-fund 14 Rust security audits of 11 Polkadot parachains, helping secure 18 High-risk vulnerabilities that may have resulted in loss of user funds (see PAL Community Report H1 24).
This proposal aims to bring PAL into the next stage of its evolution by expanding the scope beyond “audits of parachains” towards a more holistic approach to Polkadot security. The expertise of the curators should be leveraged to review and - where appropriate - renegotiate security initiatives which would otherwise go directly to OpenGov. At the same time, this proposal tightens the maximum payouts (previously up to 18,000 DOT) and denominates the thresholds in a stable currency (USD).
List of proposed changes including high-level limitations and rationale:
Limitations: Maximum 80% of the costs or up to $100,000 per chain and per 6 months. The criteria will be further specified and published by the curators.
Rationale: The original eligibility criteria are confined to the definition of a parachain. This should be adjusted as Polkadot transitions into coretime. At the same time, curators will need to ensure that coretime consumers applying for funding are serious and trustworthy actors. This will be achieved through a combination of objective criteria and subjective judgment.
Limitations: Maximum 50% of the costs or up to $50,000 per project and per 6 months. The criteria will be further specified and published by the curators.
Rationale: The adoption of ink! has been lagging behind, and with the birth of Plaza we expect that the share of Solidity smart contracts in Polkadot will grow. The curators will need to ensure that the smart contracts applying for funding are trustworthy and will be deployed on Polkadot, and not elsewhere.
Limitations: Maximum 80% of the costs, up to $100,000 per chain and per 6 months.
The criteria will be further specified and published by the curators.
Rationale: Covering (a part of) the audits of the Polkadot relay chain and its system chains will increase the transparency and control by the community, allowing us to identify critical parts of the common infrastructure that require (further) auditing.
Limitations: Maximum $250,000. If the application exceeds $50,000, it must be split into milestones and subsequent payouts will only be done after the previous milestone has been delivered.
Rationale: As OpenGov funding requests for security tooling increase (example here), it makes sense to channel such requests through the PAL bounty and leverage the expertise of the curators who are better suited to give a judgment on the added value of the tooling and its costs relative to other security initiatives.
Limitations: Maximum $25,000 per use-case.
Rationale: PAL Curators should have the discretion to spend limited resources towards common-good initiatives that do not fall in one of the categories mentioned above. For example, by making donations towards the reputable SEAL cross-ecosystem initiative we could have a 911 hotline for victims dedicated to Polkadot, organize War Games (simulate attacks to train security response) or implement the Safe Harbour Agreement which provides guarantees to whitehats.
Limitations: $3000 worth of DOT per curator per month.
Rationale: The current fee mechanism has proven too limited to provide sufficient incentives for administering the bounty. For 8 months of work, each curator has received short of 500 DOT so far. To accommodate the current and future scope of work, this proposal converts the fee into a monthly salary ensuring that the curators will be incentivized to book at least one day per week to onboard security experts and thoroughly examine and renegotiate their applications.
With over 30 years of experience in the security field, Vince is currently the CISO at Parity leading the Security team to adapt the security posture of Parity and support to Polkadot in alignment with the evolution of the cyber threat landscape.
Having joined Parity in 2017 within a couple of weeks after the infamous “Ooops, I’ve accidentally killed it” hack, Kirill soon took charge of all things security at Parity, being Head of Security/CISO for almost 5 years. Currently Kirill runs his own hardware security startup, Kampela — and advises some other teams in the space on the topics of security and blockchain engineering in general.
Stay safu.