Grant for security work

Hi Mango DAO and happy new year

Around this time last year, I asked for, and received a grant to cover time for a security review of the v3 repos and to build out automated security CI workflows to reduce risk and shift security left (i.e. catch issues earlier and rely less on audits).

Since then, over the past year, I have contributed to Mango through a range of security and DevOps activities, e.g.:

  • maintained and improved the CI workflows for v3 (until v3 was deprecated)
  • added mobile security testing for the upcoming app and worked with the devs to close vulnerabilities
  • added and maintained security workflows for all v4 repos and closed out vulnerabilities as they’ve been raised
  • added various functional testing workflows (rust/typescript) for all the v4 repos
  • added various non-functional workflows to e.g. calculate compute units
  • provided input to docker/runtime security configurations
  • ad hoc pen testing of UI and repo scanning
  • added v4 security policy and on-chain security details for v4

My contributions have not been funded and I have not been logging my time in any detail over the year. I’m asking the DAO to approve a grant equivalent to 1 working day per month for the past 12 months for my contributions. More specifically I’m asking for a grant of $15,360 USDC to cover my 2022 contributions.

I endeavour to continue contributing going forward, unless asked not to. Open to suggestions how to manage 2023!

Welcome feedback and questions,
Silas

5 Likes

Happy new year Silas!

I appreciate working with you, in particular the issue of supply chain attacks seems to be a growing concern. Would like to see more input on that side as open source projects are especially vulnerable.

Thanks Max. The threat landscape does indeed seem to have shifted a bit. On a positive note, I have more value to add on that aspect, compared to e.g. smart contract logic vulnerabilities. Welcome input to where I should focus on the wider community, besides the DAO and OpenBook projects.