[Non-constitutional] Subsidy Fund for Security Services

@coinflip, thanks for the feedback! Appreciate the time you took going through, and happy to clarify a few aspects about the ADPC’s mandate and process - some of them might directly resolve a few of your remarks:

(1) On your comment ‘ADPC has not made public (or not linked here) which vendors qualified or didn’t qualify and why’:

  • Exactly right, the ADPC is currently in the process of setting up the procurement framework to whitelist security service providers for the DAO. Given the large amount of legal work required to structure an RFP, it is still in the drafting phase and has not yet been published to procure any security service providers.
  • To shed some more light as to why, the RFP includes a Framework Agreement which outlines detailed considerations around general provisions of the framework, administration of the framework, financial provisions, personnel, information management, risk management, IP rights, termination and dispute, delivery, security, and reporting. The RFP also includes an Order Form and Contract Details for all applicants. As you can imagine, this framework is comprehensive and requires time to put together, refine, and publish. Moreover, we are also putting time into defining the infrastructure around accepting RFP responses and evaluating them fairly, including sourcing a security expert as an advisor to aid us in judging applications.
  • The aim is for the ADPC to publish the RFP at the end of April, with applications needing to be submitted 4 weeks after the RFP being published and a subsequent review period consisting of 8 weeks, which will be a rolling process where the ADPC will approve applicants through the course of this period. We will start accepting applications for the Subsidy Fund only after vendors are whitelisted as part of this process.
  • As such, the ADPC will make public the vendors that have been whitelisted, along with a rationale for their selection. The intention was never to make decisions in a silo and always make the reasons for selection public. We will also publicise which vendors have not been selected but will not provide a reason for their non-selection in the interest of privacy.
  • Furthermore, the ADPC’s mandate was always to act as the screening committee to decide the vendors to whitelist for the program. As you can see in the Tally vote which established the ADPC, ‘the ADPC bears the responsibility of diligently executing the steps essential to implement the aforementioned procurement framework’.

(2) On your remarks ‘ADPC will directly administer and decide on which protocols are recipients of this $10m’ and ‘no oversight board or technical board with specific expertise in the area of these grants’:

  • Fully agree here on gap in security experience - as mentioned above, we are in the process of sourcing a neutral security expert as an advisor to aid us in judging both, applications from service providers during the RFP process and applications from projects looking to receive subsidies from the Subsidy Fund.
  • On management, the original intention around the drafting of the original ADPC proposal was that the ADPC would execute the Subsidy Fund, and we have received no other indication from the rest of the community that another committee is required to handle fund disbursement.
  • Besides that from an operational standpoint, we would feel comfortable managing it bringing in our experience from running the Uniswap-Arbitrum Grants Program (UAGP).
  • Obviously, if there is consensus from the DAO on standing up another separate committee to disburse grants from the Subsidy Fund, we are very happy to take that into consideration.

(3) On your question ‘no DAO voting either directly or via an Optimistic process with challenge’:

  • Good idea, we’d be happy to institute an Optimistic Challenge process on the selection of specific security service providers or grant recipients if it works operationally. At this point in time, the Optimistic Governance Module that is being developed by Axis Advisory &. Tally is not available for use yet.

(4) On your comment ‘if you feel the proposal should go to the DAO as is please do consider providing delegates multiple voting options on significantly smaller program size’:

  • Hear you on this one, we are not married to this number but merely see it as a reasonable starting point. In that sense, agree with your suggestion to reflect different options for funding amounts in the initial Snapshot. We propose $2.5M over a 2-month period, $5M over a 4-month period, or the original $10M over an 8-month period.
  • For more context on the $10M, as explained in @ImmutableLawyer’s response to @cp0x above, the amount requested was based on data we obtained via a public consultation where we consulted security service providers on their fee structures and scope of services. The mere size was seen as a high enough amount to provide sufficient impact and justify the efforts going into structuring the program.
  • The $10M size is based on the assumption of a 2-month audit at an average cost of $200K, which will allow the ADPC to fund 50 projects over the 8-month program. Any unutilised funds will be sent to the ArbitrumDAO Treasury or, if the ADPC’s mandate is extended, transitioned over to the next iteration of the ADPC.

Just to recap, if there is consensus from delegates on the below, we are happy to:

  1. Stand up a separate committee to disburse the Subsidy Fund.
  2. Institute an Optimistic Challenge process on the selection of specific security service providers or grant recipients.
  3. Start with a smaller program, e.g., of $2.5M over a 2-month period or $5M over a 4-month period before additional funds are requested to continue the program.

If you have time to respond, obviously much appreciated and thanks again for the helpful guidance