[Grant Update] Zcash Ecosystem Security Lead

Hi Zcash community!

At the end of March, our team at Least Authority was selected for the role of Zcash Ecosystem Security Lead (more about that RFP).

Starting in April, as part of our role, we are doing the following:

  • Security Audits of Specifications and Codebases, along with published results;
  • Short Consultation Sessions, on security topics, as needed, such as incident response investigation and remediation, management of data privacy in systems and threat modeling; and
  • Community Engagement, including open office hours.

As noted, we’ll be coordinating our priorities with the ZCG Committee and posting monthly updates about our work here in this thread.

We’d appreciate any feedback, especially about how you’d like us to engage with the community and provide the most effective value in our role.

You can contact us here on the forums, if you have any questions, requests or suggestions!
(You can also contact us at: consulting@leastauthority.com and we are able to chat via Signal, if that is your preference.)

The Least Authority team

16 Likes

April Report:

In April, we have been focused on getting organized with our new role and integrating ourselves into the ecosystem, along with helping out 2 teams with their management of reported vulnerabilities.

Security Audits:

  • We met with QEDIT and discussed reviewing the specifications (ZIPs) for the ZSA work they are doing. This will be scheduled to be completed asap.

Consultations:

  • We completed a review of the vulnerability management of Zingo and provided a report to the team.
  • We completed a review of the vulnerability management of Ywallet and provided a report to the team.

Community engagement:

  • We kicked things off with the ZCG.
  • We’ve started to chat directly with a few projects in the Zcash ecosystem.
  • We introduced ourselves on the forum.
  • Supported Ryan’s organizing the Berlin meetup for ZconV at the Least Authority office. (We’ll also be sponsoring the space, along with some food and drinks.)

Please let us know if you have any questions!

8 Likes

May 2024 Report:

In May, we are continuing to get more involved with the community and ecosystem.

Security Audits:

  • We started to review the specifications (ZIPs) for the ZSA work for QEDIT. However, we were not able to schedule a kick-off with QEDIT and this work was then paused to allow our team to focus on an urgent review. This review will be rescheduled to be completed asap.
  • We started to review the Go Zcash Address parser. This review will be completed and the initial report submitted by June 5th.

Consultations:

  • We did not complete any short consultation sessions in May.

Community engagement:

  • We are continuing to chat directly with a few projects in the Zcash ecosystem about their needs, along with the ZCG.
  • Supported Ryan’s Berlin meetup for ZconV at the Least Authority office. (We sponsored the space, along with some food and drinks.)

Please let us know if you have any questions! We have some availability for short consultation sessions, if you have any needs in the ecosytem - please reach out.

7 Likes

Now for our June monthly report:

Security Audits:

  • We completed our initial review of the Zcash Address Go Parsing Library , which was started in May, and submitted our Initial Audit Report, as planned.
  • The Findings in the report were sufficiently addressed, we completed the verification review and submitted our Final Audit Report for the Zcash Address Go Parsing Library.

Consultations:

  • We did not complete any short consultation sessions in June.

Community engagement:

  • We are continuing to work directly with the projects in the Zcash ecosystem about their security auditing and other support needs, along with the ZCG.
  • We have some availability for short consultation sessions, if you have any needs in the ecosystem - please reach out.

Let me know if you have any comments or questions!

4 Likes