Application for Major Grants Review Committee

Hi All,

Sorry for the very late application. (23:30 31/05/2020 BST)

I am putting myself forward for the MGRC. I have been an active member of the community since the big ASIC thread. I am currently on the Community Governance Panel and was heavily involved with the process that got us here. From writing and help writing numerous ZIPs to participating in all the voice chats and discussions surrounding NU4 and what happens with the dev fund.

I am only interested in zcash and have been part of bitcoin since 2010/2011.

I am very keen on seeing this process through and working out what needs to be done next.

I strongly believe that the MGRC is in a position to add requirements for professional security reviews and audits to key network applications. I have worked with a number of different companies that can provide these services. So has the ECC. I would like to leverage that knowledge as much as possible These can be additional and funded by the MGRC. I will use all my knowledge and skills to make this happen. I go into further details in this post.

I have a long history in software development, hardware and cryptography. I currently sell vulnerabilities to red teams and pen test companies. I find these mainly through reverse engineering and automation. I have worked in development for 18+ years and am familiar will most development lifecycles and constantly working with different teams. I predominantly come from a testing and security background. I have been responsible for budgeting, resource management and dev life cycles for blue chip companies.

Because my work now is for myself and is highly automated I have quite a lot of time to dedicate to other things. I would like to put that time towards working on making zcash a more complete and well rounded software ecosystem. I am not sure if this will be a full time role, if however it does turn out to be I can and am willing to put the time in and do what is required.

I think that the first year for the MGRC will be different to the next ones. Mainly because it is new and needs quite a bit of documentation and working out how best to proceed. This is going to require conversations between recipients, potential recipients, the foundation, CGP/CAP and internally within the MGRC.

I see the main areas that need to be sorted for a decent foundation will be documenting, writing up the processes and ironing out best practices / strategies for accounting, transparency, accountability, community feedback, taxes, protocols and maybe most importantly, communication.

A lot of this is not “forward facing”, but once it is done it will be easier for people to follow. The people who take this through the first year may well not be the best people to keep it running, they are different skill sets. and I think it might take up to 18 months to get it up and running fully, depending on how this works out and the amount of time people can commit.

It is essential that all the work that is being done, forward facing or not, is fed back to the community. If this role were to receive some form of remuneration then it is essential that the community knows where and why their zec is being spent. The dev fund is to make zcash technology a viable long term asset to the world and that means everything must be accountable.

Regarding remuneration, I didn’t initially think this role would be compensated. If it is more than 8 hours a week over an 8 week period I would like some form of compensation.

To further elaborate on this: (added on 1/9/2020)

I am applying for this position out of love for zcash and the zcash mission.

From what I can see all the candidates are asking for little to no money. I strongly believe these candidates will proactively work to forward zcash regardless of remuneration. The zfnd has graciously agreed to act as arbiter of “fair market value” and it is pretty clear they are very generous / fair with these. I am sure they can do the same to evaluate the hours spent by the MGRC that is not already outlined. - I for one am very happy to put in the work, let someone else (zfnd) decide what it is worth (if it is worth anything at all, quite a lot of work isn’t.) and go from there. It is very similar to the nature of my current work, bounties, you never really know what something is worth until you try to sell it.

If I spend 4 hours a week on admin and communication, I really don’t feel strongly about being compensated for this, I think ambivalent might be too strong a position for me. I really respect the zfnd offering to compensate for the grant specific related work.

Achieving the mission is my goal - if any of my skills can help realise this, then I will do what is needed. I have sunk a lot of unpaid time into this already and I have a lot of things I can bring to the table to compliment the MGRC in its grant making decisions. Specifically around formalised security processes. (I am not a guru on this, but I know what they are, what they should look like and how to read/generate the reports.)

I really think that the MGRC using some form of Requirements Based Processes (something like IBM DOORS/Microsoft Tactics) would go a long way to help standardised common security practices across independent projects. Projects getting MG’s will have to show they have done their due diligence as part of the submissions process. I can certainly point applicants to companies that have skills to perform this work, be it for cryptographic stuff, code analysis stuff, network stuff or web based stuff or some combination of the above.

I have put a lot of effort into getting us to where we are now and would really like the chance to take this further.

I really thank the ecc and zfnd, for giving the community this amazing opportunity. It really does quell any criticism or concerns I have ever had about their intentions. Particularly @zooko, big respect. - The fact I can even apply for this position speaks volumes to your true intent. If I get elected I will not squander this opportunity.
(/end further elaboration)

Please feel free to ask me some questions and I hope to get your vote.

Many thanks,

Steve.

Some zcash stuff I have done:
Wrote and championed a number of NU4 proposals.
I am part of the CGP/CAP.
I am heavily involved with the community and moving forward with zip 1014.
Part of a team that made a hardware wallet. (fpga based)

Hey @mistfpga no worries about being “late” the deadline was extended to September 1st.

I have added your thread to the top post of the MGRC Megathread, Good Luck!

PS: I can vouch for the great work that mist has done during the many months of Zcash development fund discussion. He is a member of the Zcash community that I think would be a valuable asset to the MGRC.

Ah, so I am early. nice. I have to go catch up. been a little indisposed recently.

Thanks for the vote of confidence.

Its really important to have someone on the MGRC who is familiar with development processes, and is technically knowledgeable enough to be able to do good due diligence on the skills of the teams of people applying for grants. You sound very knowledgeable!

I agree. To be fair though, I think quite a few applicants have that too. One unique thing I can bring is the ability to assess milestones, testcases, etc.

I know this work is going to be carried out by the foundation, however it is something that needs to be reviewed at application time. It would be crazy for requirements be proposed by the applicant accepted by the MGRC only to turn out to be useless for the ZFND to appraise from.

Im going to go over 1014 again over the next few days to find potential issues so we can hopefully stop them becoming problems.

If you’re willing to use your reverse engineering and automation to get the applicants pen tested I am curious what others would think about having you become the first member of a Grants Audit Team with a good pay grade for how valuable that info can be early on in development with FinTech

Hi Phil,

Sure that could be an option. Virtually all of my stuff is black box tho, so not too much use for stuff in development. All of the runtime analysis stuff would still work. - If it is x86 or x64, compiled in C or C++ and runs on windows. I could add arm support but I am rewriting a lot of it to use Ghidra rather than IDA.

I think as far as the MGRC is concerned, this is better handled by the foundation, or actual legal auditors. (Audit has a very specific legal definition and I don’t have that legal authority.)

I have been doing it for fintech. - as in actual audits (FIPS mainly). I have spent 4 or so years working on Hardware Security Modules, Like Hal used for hashcash. These are ubiquitous through the banking and fintech industries. I also worked on the update to EMV (chip n pin) pentesting the code and the fpgas/hardware. (my skills are mainly in reversing code not hardware.)

edit: I thought I put stuff referencing this in the first post, must have been a cut n paste error. I should fix that.

Hi @nathan-at-least,

Thanks for asking these questions directly. I know they were not directly aimed at me but I would like to chuck my 2p in. My lower estimate on work involved, and the amount I am willing to do unpaid would be 2.4 weeks (96 hours) per quarter. which is up to 8hrs per week.

Is this a role for the MGRC? I cant find the relevant bits in zip 1014. This at the moment feels a very big stretch to do this in year 1. We already have 1 applicant (ECC) (my mistake) with at least 1 more I know of expressing interest (@mhluongo).

Sure the MGRC can suggest people apply for funding, but to directly solicit it would seem like a potential conflict of interest. It would certainly need a lot more fleshing out by the MGRC as to the ethics and rules behind it.

This is an essential part of the MGRC. Especially in year one. They need to express what proposals should look like, what they need to include and to work with the first applicants to get this down. It will be a very valuable learning experience for the applicants and the MGRC. There should also be some mechanism (a bit like bounties) where the MGRC can express what proposals they would like to see. Again though the ethics and rules behind this need to be worked on. The way I currently read zip 1014 is that putting out for tenders is not in the remit.

I am a little more sceptical of this.
The amount of money involved and the structure of how it is being paid from community funds would make me err on the side of the proposal needs to spoon feed me all that information in a way that takes little effort for anyone to robustly verify. If it doesn’t, then it is not a good proposal and shouldn’t be funded. This is other peoples money, it must be spent with full accountability.

I don’t think it is desirable for the MGRC to be the only form of due diligence. Sure some has to be done by them, and not just cursory - but none of the people who are going for the role seem to have investigatory skills. I can verify information given to me in a way an employer would, but proper due diligence would cost a lot more. Who should pay for this? The initial thought would be to make the applicants pay. I am not sure on this.

If the only line of defence is the MGRC then this, when combined with tendering for proposals can and probably will lead to cries of favouritism.

The proposals have to be able to stand on their own and be complete things. I have a very high bar for what I think a proposal should look like and what information it needs to contain.

I concur this is very much the responsibility of the MGRC

In zip 1014 this is specifically the role of the ZFND, I personally would be very happy to take on this role within the MGRC (my first application was based of this premise, but I scrubbed it after @shawn pointed out that this is specifically give to the ZFND in zip 1014.)

EDIT: as shawn has highlighted below I misread what he wrote. 1014 doesnt seem to cover this specifically. I strongly believe that if the MGRC is allowed to do this work then they should. I will be revising my application accordingly.

I have a wealth of experience in this area and really enjoy this kind of work. This would exponentially increase the amount of time needed for the MGRC though. I can see this being a full time role. @acityinohio You are currently champion of 1014 - what do you think of the MGRC running concurrent testing and verification of work alongside the ZFND? I can see things for the MGRC to track that the ZFND wouldn’t, but most of them are for improving the processes and functionality of the MGRC. Actually this is a pretty tricky question. how do you see the MGRC handing over accountability for the proposals to the ZFND?

Isnt this done by the blockchain and ZFND? or am I missing something? The accounting would be very basic no? I am probably showing my ignorance of US financial legal/tax requirements when it come to business operations.

These are imperative. Full accountability to the community, whilst helping applicants get decent applications in. (I would like to do this too, I am good at this sort of thing - steve 2020!) If this part of the MGRC fails then the whole thing fails. If we follow shawns structure (which I really like) of two people full time, then this would be one of the duties of the full time person.

This is important enough that the MGRC would need a community “liaison” it is the communities money - the MGRC is just a concentration of representation, in this way it is very different from the ECC and ZFND.

I am starting to get confused. If the MGRC members are going to get compensated and they are going to hire staff, where on earth does the MGRC funding come from? How much budget is there? I don’t remember talk of any of this when the proposal was going through. Did I miss it? If the MGRC takes their own funding from the dev fund who decides how much they get and how is this decision made? Who signs off on how much money they can spend?

I will probably tidy this up and post it as questions for the other candidates so they can respond in their own threads.

ECC is explicitly excluded from MGRC grant funds in my understanding of ZIP 1014 (as is Zfnd). Both ECC and Zfnd already will receive a portion of the Dev Funds outside of MGRC, so my understanding of this exclusion is to ensure funding goes to other orgs/applicants.

Did you have a different understanding?

Nope, I completely forgot that when I wrote it. Sorry about that.

Thanks for this thoughtful response!

FWIW I expected this would be the role of Zfnd, given their other community work and that they need to similarly solicit for regular grants.

I’m not sure about this part @mistfpga

The part of ZIP-1014 that I quoted regarding performance factors:

I think means that the ZF shall set “key performance indicators” but it will remain up to the MGRC to follow up with the teams to see these indicators are met. I my interpretation that means it’s a sort checklist, not too dissimilar to what previous Zcash Foundation grant recipients have had to do when they accepted a grant:

More of a “starting point” for MGRC to expand upon and adapt to the projects as selected.

Disbursement of funds and contracts will still be handled by the Zcash Foundation for tax/501c purposes but it will be the responsibility of the MGRC members to give a “green light” of sorts (based on the progress reports/milestones) for the next payout to a recipient.

I’m thinking of it like if it were a company. Where the management (MGRC) make the day to day decisions hire/evaluate/fire and hand it over to payroll (ZFND) to make sure everyone gets paperwork and paid properly.

I’m still happy to see someone with technical qualifications applying, thank you for this great application.

Thanks shawn. I did read it differently. Im not too sure what is up with me lately. I will amend my application.

I think we are overestimating what we know, if we think now is the time to constrain how the MGRC should find worthy projects.

I think those decisions should be driven by as much information as possible, and should be maximally pragmatic.

I find your technical perspective attractive!

I have a few specific questions:

What do you think of MGRC-member receiving vested Zcash, as part of their compensation?

What response do you-as-a-candidate have to this news:

?

Can the MGRC play a meaningful role in this transition?
Can an MGRC-candidate positively effect the evolution of our inter-locked communities somehow?

I’m shopping for ideas here.

Hi Zancas,

Thanks for the thoughtful questions. I have been giving vesting some consideration since you brought it up again recently.

I personally have no real problem with vesting. My only concern would be the details of the amount and delay of vesting. If people are expected to quit their day job and rely on their position on the MGRC then they need an amount of consistency in how they are paid. They will need to eat and pay rent too.

We decided very early on in the process that being disadvantaged should not stop you from serving on the MGRC - including financially - this is also my main motivation for stepping up to write the CZIP format, guide and champion/write a number of zips for other people. not being part of the forum or knowing how to write a zip / zip language should not prevent you from having your voice heard. I am very passionate about this.

Most of the vesting I have been exposed to before has been in the form of shares from a company which are either optional or capped at a certain % of base wage and matched by the company. I have never heard of this being above 15% of the base salary, what was your thinking on this? But I dont think this is the vesting you are talking about. You are talking about using vesting to “bind” the members to performance targets or other metrics, ala timelocking. (I am very anti to time locked miner rewards though)

I am really interested in hearing more of you ideas on this. I was looking back through an old thread and you had a lot of good stuff to say on this, my ideas are going to be limited in this area, it is not my forte. I didn’t really consider vesting until you brought it up, but I can and would like to bounce off someone else’s ideas. What do you see the timescales as being?

I thing all MGRC members should be paid in zec and encouraged to keep a section of their portfolio in zec. Obviously they might need to sell some for expenses or whatnot. You cant tell people how to use their money, but you can encourage it - maybe this portion could be somehow used in vesting?

Just to make sure, it is members compensation for serving on the MGRC that is vested, nothing else, right? because that might change my stance a bit. (but based on your posts back in jan/feb I dont think this is the case)

All this is said with the heavy “I am not a lawyer and will happily change my opinion on this based off legal advice”

Regarding rust.

This is the first I have seen of it. After reading it and reading Mozzilas statement I would like to take some more time to digest it and think about the implications and possibilities. An initial off the cuff response would be that it seems they are moving to a smaller system but double focusing on their goals. Which are very much inline with zcash’s goals, their might be something that can be done there. It also highlights what tromer was saying, that zec is an excellent way to fund zcash.

I will post a more thought out response in the next day or so if that is okay.

I appreciate this very much

I also think you are setting the appropriate expectations for the first 18 months of MGRC

You have my support!

I cant sleep so I thought I would write up an idea for a MG i would like to peruse. I have not researched this really at all yet. it is still very much an idea.

@zancas I am sorry I haven’t had a chance to look into the rust question you asked me. Hopefully this gives you an indication of how im thinking and will be okay until i have had a chance to read up on RFnd a bit. Please keep the forums updated on your outreach to them.

This is very much a brainstorming post. I would appreciate feedback.

The intent of 1014 is to allow projects that do not give a ROI the access to funding. zcash has historically not fared too well in the open source scene. I see the MGRC as a step towards fixing that.

I think the best way to achieve both would be to try to get involved with a company like the EFF, they are large enough to be able to handle significant funding (Major Grant) from the blockchain and award it to needy causes, be it legal fees or software. The EFF is well known enough to be a major coup for zcash, they are already accepting it, this could be the next step.

Whilst this grant would not make an ROI you could try to put things in the grant like, integrate z2z messaging plugin into the tor browser bundle. This is not just product placement, it would be a genuine step forward. You would have a team at/hire by the EFF who would know how to use zcash technology and a secure messaging product in tor itself. I dont know how the EFF would respond though, but I would love to have the authority, and remit to commit the resources to them and see where this leads. Lets face it, z2z in the browser bundle would rocket the price, although that is an added benefit. (btw i am reserving the right to apply for a zfnd grant for z2z in the browser bundle)

After that, leveraging the team, or maybe using a new team to get more people involved. You could try to get something in there to help with mitming on exit nodes. Haven’t given this much thought yet. The EFF has better access to talent to do this sort of work than the community. Imho they are the sort of place we should be looking when we are trying further the zcash mission using the part of the MG slice that the MGRC decides to allocate to non ROI projects/Open Source out reach.

This well funded MGRC + zksnarks is something no other coin has, lets use it to make a difference. We can stand out from other projects via the MG, we really have something amazing to offer projects and through those project we can make a difference to the world.