Zcash Ecosystem Security Lead

Yep, Ywallet is on the list now!


We’re actually trying to change this! In zcashd 5.0.0 we introduced a deprecation framework, to provide an explicit process and timeline for making changes. We’re still going to be careful about the changes we do make, as before, but the idea is we have something more tangible than a “this is deprecated” note in the RPC’s help text.


That’s a great idea! It’d be interesting to do a “secure usability” survey of the ways the RPCs are being used by community projects, asking “what common problems could be avoided by making changes to the RPCs?”

1 Like

That’s great news!

Sounds like a good name for it :relaxed:.

That also makes me wonder if ZCG should fund a RPC fuzzy tester. Maybe we’ll get lucky and find a team has already written one? As an example I wouldn’t be surprised if some apps aren’t fully testing against RPCs that rarely (but can) return an empty lists. Something @earthrise can advise the community on as they (hopefully) begin work :slightly_smiling_face:.

Hi everyone,

We had a great conversation with @earthrise on Friday about his grant proposal. We discussed Taylor’s background, motivations for this grant, and his vision for success for this grant and the Zcash ecosystem. We also discussed some expectations the ZCG committee has and clarified a few points of concern.

Our outline of expectations include:

  • Monthly milestone payments will be adjusted based on work completed in a given month, not to exceed the overall approved grant funding cap.
  • The applicant will participate in a monthly call with the ZCG committee before billing the current month’s work to discuss the following:
    • Proof of work to be billed for the current month.
    • Work planned for the next month
    • Prioritization of future work with input accepted from the ZCG and broader Zcash community.
    • Relationship building accomplished within the community.
  • The applicant is required to work with ecosystem developers and partners via their preferred communication channels.
  • The applicant is required to follow responsible bug disclosure best practices, and when available, adhere to the disclosure policies and channels of the organization in which they are supporting.
  • All testing software, hardware, and other expenses related to the work performed under this grant are the responsibility of the grant applicant.

We are less concerned about there being enough work to fulfill the full year of support Taylor is proposing. We think Taylor has a lot of great ideas and is on the right path in terms of prioritization of the efforts he envisions pursuing. In addition to performing audits, Taylor also wants to provide ad-hoc security guidance to developers in our ecosystem which can be achieved through the building of relationships with the ecosystem of developers. These kinds of relationships could help projects get ahead of security issues before they occur rather than waiting for an audit finding to come knocking. We like this proactive approach.

While we are deliberating internally and getting our newest ZCG member @dontpanicburns up to speed on the grant we want to hear more from developers in this ecosystem - Are you open to building a relationship with Taylor, interested in seeking his guidance for security related topics, and open to leveraging his expertise for security audits and other purposes?

@adityapk00 @NighthawkWallet @hanh @skyl @birdify @zancas @little.slingshot @pitmutt (The forum will only let me tag 10 people total)



Also note that I’ve pushed the deadline for the first milestone back one month to the end of September. This will leave time for ZCON, DEF CON, and hand-off of my current responsibilities.


I think (? @zancas @AloeareV ?) I speak for everyone at Zingolabs, when I say we would be very open to working with @earthrise !


We are definitely open to working with @earthrise. Having this type of resource available for the ecosystem will add tremendous value.

I also think this model could be replicated for other consulting-type services the ecosystem could use, like legal reviews (Terms of Use, licensing, etc).


I would add design and documentation for this. Even maybe i18n/l10n if Zcash gets more adoption.


Having design services for the ecosystem, especially if it can keep the theme of CypherPunk Zero going, would be quite interesting.


Absolutely! I’m formulating a question or two right now that I’m going to ask in private to get the ball rolling.


Hello @earthrise & Zcash Community, I am happy to announce that at the recent @ZcashGrants meeting earlier this week, the committee has unanimously voted to approve this grant!


Awesome!! Thank you everyone for the feedback and ideas, and thanks to the @ZcashGrants committee for trusting me to take on this responsibility!


Excellent news, congrats @earthrise


Congarts @earthrise

Cheers to a more secure Zcash eco-system :beers:


The Nighthawk team is ready to fully co-operate with @earthrise on software audits for Nighthawk Wallet on iOS & Android, Zcash Block Explorer stack & Dev-ops, security setup for lightwalletd infra.


I’m glad to see the Zcash ecosystem has someone like @earthrise on the job after what we are seeing today with Solana.


I’ve set up an email address for this effort: zecsec@defuse.ca. If you’d like to get in touch in advance of the grant work starting, you can email me there. Once things get going I’ll make sure I’m in all the communications channels the community normally uses and I’ll set up private communication channels with projects as I audit/onboard them. :slight_smile:

I’m excited to meet everyone at Zcon!