--- AGP: 37 Title: Retainer for Ongoing Aragon Network Security Provider Author: maurelian (@maurelian) Status: Rejected Track: Finance Created: 2019-04-10 --- # AGP-37: Retainer for Ongoing Aragon Network Security Provider ### Summary We propose to continue our work securing the Aragon Network, on a retainer basis for a 6 month period, working with the entities responsible for developing aragonOS, Aragon apps, and other code of interest. ## Address of the transfer recipient 0xF0001193a7919B14417c038604846D7b3F8F4BC3 ## Amount of the transfer 120,000 DAI ## Number and frequency of transfers if recurring (enter “1” if only one payment will be made) 2 transfers of the amount above, payable every 3 months starting after ANV-02 has completed. ## Purpose of the transfer ### Description of Services #### 1. Iterative Security Review Services In each 3 month period, we will allocate 5 weeks of 2 people "actively auditing". This may include smart contract auditing, penetration testing, application security review, or other intensive security review related work. We respectfully request a minimum of 2 weeks notice in advance of initiating an active audit phase. If the full allocated time is not utilized in a given 3 month period, the difference will accumulate and carry over to another 3 month period. If Aragon One requires more time, we will charge the prorated fee in subsequent voting periods, or through the proposed [ANSP Engagement Policy](https://forum.aragon.org/t/draft-agp-for-anv-02-ansp-engagement-policy/750). #### 2. Secure Development Process Advisory Services We will continue offering bi-weekly calls to assess and advise on the security of development processes, with the objective of enabling security, agility, and consistency in the release schedule. ### Our commitment #### Responsiveness The time allocation and advanced notice outlined above are not designed to add friction, or bureaucracy to our work with Aragon One or other teams. Between audit periods, we will continue to support, advise and engage with the Aragon One team. We understand that time estimation is difficult in software development, and we encourage caution over meeting arbitrary deadlines. If a start date needs to be postponed, or something else needs to shift, we will make our best effort to accomodate. We currently have two excellent auditors working on Aragon. Under this retainer arrangement we will train up more excellent people on the Aragon codebase to make that kind of responsiveness possible. We will also actively seek opportunities to enrich security knowledge and discussion across the entire Aragon Flock and community, and look forward to opportunities to work with other Flock groups. #### Transparency We will engage with the community, to improve their awareness of security health in the Aragon Network by the following channels: * Attendance in bi-weekly all-devs calls * Monthly reporting on our activities and outcomes in the Aragon Forum * Public reports on findings from each active audit phase ## Recipient information Organization Name: ConsenSys Diligence Inc. Website: https://diligence.consensys.net Other URL: [Our portfolio](https://consensys.github.io/diligence/) Fill out the following information for each individual team member who will be managing funds from this transfer: Name: Maurelian PGP key fingerprint: DB2BA6DAA44C8330 Name: Goncalo Sa PGP key fingerprint: 7194D885E14F7E36 ## License Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).