RFP - Zcash Ecosystem Security Lead (2023)

Hello everyone - we’re publishing the RFP below seeking a replacement for the Zcash Ecosystem Security Lead role.

The RFP is available in PDF format for sharing here.

Proposals for this RFP can be submitted here.


  1. Project Description

The Zcash Community Grants (ZCG) committee is seeking a qualified individual or organization to fill the position of Ecosystem Security Lead for a one-year term. This role is integral in enhancing the security, usability, and overall trust within the Zcash ecosystem. The selected entity will be responsible for performing security audits on community projects, coordinating responses to vulnerabilities, and offering expert advice on project security to both ZCG and the wider Zcash community.

The relationship between the Grantee and ZCG will be that of grantee and grantor, governed by both standard grant terms and conditions and additional RFP standard terms and conditions.

  1. Scope of Work

The selected Ecosystem Security Lead will offer:

  • Security Audits: Prioritize and conduct thorough security audits of Zcash community projects, aiding in the remediation process for identified issues to prevent potential harm to users.
  • Open Office Hours: Establish and maintain regular open office hours to provide security-related support to community projects.
  • Vulnerability Coordination: Swiftly and effectively coordinate responses to vulnerabilities reported by third parties or identified internally.
  • Consultation: Offer valuable insights and evaluations on the security facets of different projects to ZCG and the Zcash community.
  • Audit Publication: Ensure audit results are published regularly, adhering to a 90-day embargo for unresolved critical bugs.
  • Regular Reporting: Provide monthly updates to ZCG on audit findings, vulnerabilities, and ongoing efforts to bolster ecosystem security.
  1. Proposal Requirements

Prospective candidates or organizations should possess:

  • A demonstrated track record of conducting cryptographic security audits.
  • Expertise in application security with the capability to audit code across various languages.
  • Proficiency in aligning security advice with the practical and business needs of community projects.
  • Previous experience or understanding of the Zcash ecosystem and its associated cryptographic protocols is considered advantageous.
  1. Submission Guidelines

Interested entities are required to submit:

  • Proposal: A comprehensive document detailing their strategy for security audits, community outreach, vulnerability coordination, and other responsibilities highlighted in the Scope of Work
  • Budget & Timeline: An itemized budget and projected timeline to accomplish the specified Scope of Work over the one-year term.
  • Professional Background: A resume or documentation of work history, emphasizing security auditing experience and any interactions with cryptographic projects or ecosystems.
  1. Evaluation Criteria

Proposals will be evaluated based on:

  • Technical expertise and demonstrated experience with conducting cryptographic security audits and application security assessments.
  • Understanding and alignment with the Zcash ecosystem’s goals and values.
  • Feasibility of the proposed approach.
  • Budget and time efficiency.

Support and Collaboration

While the Ecosystem Security Lead will operate with a significant degree of independence, ZCG is committed to providing necessary support, including facilitating community interactions, offering guidance, and ensuring smooth integration into the Zcash ecosystem.

18 Likes

Hi ZCG Committee members and Zcash community!

We, Least Authority, intend to submit a proposal for this RFP for the Zcash Ecosystem Security Lead role. We would be honored to have the opportunity to serve the Zcash ecosystem, the way that Taylor successfully has, and help Zcash continue to be a leader in privacy and security.

If you’d like to read more about the work we’ve done with zero-knowledge proof technology, check out our blog post: Pioneering Zero-Knowledge Proofs: Eight Years of Security, Implementation, and Education - Least Authority And you can also learn more about Least Authority’s security consulting work on our website.

For transparency, I would like to disclose that Zooko (CEO of ECC) and Amber (on the ZCG committee) are members of Least Authority’s Board. We believe this does not present a conflict of interest. However, I am happy to discuss this if any clarification is required.

15 Likes

Dear ZCG Committee,

Thesis Defense is thrilled to have the opportunity to submit a proposal for the Zcash Ecosystem Security Lead RFP. Thank you for taking the time to discuss the RFP and providing nuanced insight into the needs of the committee and the community at large.

Thesis Defense is a new team that consists of a group of senior security researchers who have extensive security experience in the decentralized technology space and within the Zcash ecosystem. Our make up is a hand-picked group of senior auditors and cryptographers that have worked together extensively in past roles.

We’re incredibly excited about developing a new audit standard for a variety of technologies and languages, including various protocols, wallets / browser extensions, crypto libraries, bridges, and smart contracts. You can read a bit more about why we decided to co-found Thesis Defense here.

We look forward to submitting a proposal that outlines how Thesis Defense and the ZCG committee can best partner to both provide security audits to the Zcash ecosystem and ensure the committee and community has the security support it needs to maintain a robust and comprehensive security-posture.

Many thanks for the opportunity and for your consideration of our proposal. We look forward to a thoughtful and constructive discussion following the submission.

15 Likes

For transparency, I would like to disclose that Zooko (CEO of ECC) and Amber (on the ZCG committee) are members of Least Authority’s Board. We believe this does not present a conflict of interest. However, I am happy to discuss this if any clarification is required.

IIUC, there are several members of ECC and grants folks who are major shareholders of LAE? Additionally, without more current transparency reports a debt of $3.75 million is due from Bootstrap by Sept 2024 to LAE? https://electriccoin.co/wp-content/uploads/2023/09/Transparency-Report-Sept-2023.pdf

It’s a pleasure to introduce Halborn to the ZCG Committee and the Zcash community! Halborn intends to submit a proposal in response to the Ecosystem Security Lead RFP.

Halborn is an award-winning, elite cybersecurity company for blockchain organizations founded in 2019 by renowned ethical hacker Steven Walbroehl and growth hacker Rob Behnke. We’ve been trusted by organizations such as Uniswap, zkSync, Matter Labs, Circle, Dapper Labs, Polygon, Animoca Brands, Sushi, and many more.

We have experience in the Zcash ecosystem already, having identified a zero-day vulnerability that impacted Zcash, giving us an established understanding of the tech stack. We have also served as a key security partner for another popular ecosystem, Solana. We make mention of this to highlight not only the breadth of our expertise, but also to call out our commitment to establishing strong and successful relationships with leading blockchains operating in the space today.

Halborn provides Smart Contract Security Assessment, Advanced Penetration Testing, DevOps & Automation, and Security-Advisory-as-a-Service.

We will serve as the ecosystem’s reputable partner to continuously assess vital assets, save time in the development lifecycle and provide world-class cybersecurity consulting and assessments every step of the way — far beyond just smart contracts.

Thank you so much for the consideration, and we look forward to a constructive dialogue.

Halborn

10 Likes

Hello Zcash Community,

It’s Noah Jelich representing Hacken, and I want to announce our proposal submission for RFP - Zcash Ecosystem Security Lead (2023). Let’s start off by saying we understand the vital responsibility of the Ecosystem Security Lead position for your ecosystem. I want to provide you with more information about our company and what you can expect from us.

Why Hacken is the Perfect Fit:

  1. Proven Track Record: Founded in 2017, Hacken is trusted by industry leaders like 1inch, Animoca Brands, European Commission, Polygon, Cronos, Binance, and many others. We have a very compelling team under the leadership of our Director of Services Luciano Ciattaglia.
  2. Expertise Across All Domains Of Blockchain And Cryptography: We work in the most critical domains of blockchain security and cryptography, including blockchain protocol assessment, all types of penetration testing, decentralized application code review, and targeted security consultations.
  3. ZKP Audit: Hacken brings specialized expertise in zero-knowledge proofs. ZKP technology is a cornerstone for privacy and security in Zcash. Our team is well-versed in the complexities and nuances of ZKP, positioning us to conduct in-depth audits that ensure the integrity and confidentiality of these systems.
  4. Open Office Hours: Building on our commitment to accessibility, we plan to establish regular sessions for security support to community projects with expert consultations.
  5. Vulnerability Coordination: Our rapid response capabilities are primed for effectively coordinating actions against vulnerabilities and we always follow-up to make sure no weak spots are left.
  6. Audit Publication and Regular Reporting: In line with Zcash’s expectations, we will regularly publish audit results, fully respecting the 90-day embargo for critical bugs, and provide regular updates to ZCG on ongoing security efforts.
  7. Native Bug Bounty Platform: In addition to our service portfolio, a core of our approach to blockchain security is crowdsourced protection. We have a native bug bounty platform HackenProof with 30,000 ethical hackers.

As Ecosystem Security Lead, Hacken will operate with a significant degree of independence while staying committed to collaborating with ZCG. We are prepared to facilitate community interactions, receive guidance, and ensure smooth integration into the Zcash ecosystem.

With Hacken’s vast experience and commitment, we are excited about the prospect of taking on this challenge, and enhancing the security and overall trust in Zcash. We look forward to the opportunity to contribute our knowledge and skill in the position of Ecosystem Security Lead for a one-year term.

Stay safe,

Noah Jelich,

Hacken Representative for Zcash

3 Likes

@Liz315, at the most recent meeting, the @ZcashGrants Committee voted to approve the Least Authority proposal for the Zcash Ecosystem Security Lead on a 3-month trial. The committee has requested that you provide monthly updates via the forum. Please start a new thread in this category: Community Grants Updates - Zcash Community Forum.

4 Likes