I would like to open a discussion around securing the Zcash ecosystem in the context of ZOMG funding.
When I was campaigning for my seat on the committee I made the following policy suggestions:
Now that the @ZcashGrants is up and running, and proposals have started come in I would like to take some time to flesh out that vision for the future of securing zcash ecosystem projects, regardless of whether they currently exist independently, are funded by ZOMG or yet to be imagined.
Zcash ecosystem projects do not have the best track record on security and privacy, and the cryptocurrency world, as a whole, is not kind and will not hesitate to exploit any holes that might exist. As such it is critical that when ZOMG funds the zcash ecosystem that we take great care to help projects reach the highest levels of security and privacy assurance possible.
In my opinion it doesn’t make sense for the ZOMG to require projects to source their own security and privacy reviews, nor to account for these in their grant applications - this approach will result in duplicate work and funding inefficiencies. More fundamentally, such an approach diversifies the effort while doing nothing to mitigate the brand risk associated with any kind of major public ecosystem privacy flaw.
To that end, I would like to propose the creation of a dedicated zcash ecosystem security team. This team would be funded by ZOMG, and would be available for projects to consult with. Their ultimate responsibility would be to ensure that ecosystem projects like wallets, infrastructure, explorers, and zapps meet the high bar that Zcash requires as a privacy-first project.
I believe that Zcash is in a fairly unique position given the ZOMG and the strong technical foundations of the project to cement itself as an ecosystem that is unmatched when it comes to privacy, but that will only happen if we can back up exciting new applications with strong assurance.
To that end I have a few questions that I would like to put forward to my fellow committee members, and the wider community:
- What are your opinions on the creation of such a team?
- Do you have thoughts on the structure of such a team?
- Do you have ideas on who you would like to see involved in the team?
- Is this something you would prefer to see handled by e.g. a dedicated/contracted industry partner or constructed from scratch?
Please leave any and all thoughts, ideas and critiques in this thread. I will gather them all up to produce a provisional Request for the ZOMG committee (and community) to discuss (and maybe ultimately vote on).