Abstract - Creating a procurement framework for security-oriented service providers within the ArbitrumDAO. The proposal aims to create a streamlined & harmonised approach re. service procurement for security-oriented services.

Motivation - Procurement Frameworks maintain quality control, ensuring consistency in the services procured. These frameworks also promote transparency and fairness, building trust and adhering to legal standards. Moreover, they aid in risk management, safeguarding against various procurement-related risks, and streamline processes for time-saving and operational efficiency.

Rationale - This procurement framework is designed to ensure that only qualified and reliable security service providers are selected, thereby safeguarding the integrity and security of the projects within the Arbitrum Ecosystem. This will aid in ensuring that the security-specific needs of projects building within the Ecosystem are safeguarded to a larger extent & thus serve to safeguard the high standards and reputation of the Arbitrum Ecosystem.

Specifications & Timeline - Specifications & timeline can be found in the following sections.

Steps to Implement - This AIP will move to a Snapshot vote on the 24th of November 2023. Passing of the Snapshot vote will be deemed as a ratification of the Procurement Framework. There are no associated costs with the implementation of the Procurement Framework.

Overall Cost - No cost for AIP implementation.

EXECUTIVE SUMMARY

• This procurement process is designed to ensure that only the most qualified and reliable security service providers are selected, thereby safeguarding the integrity and security of the projects within the Arbitrum Ecosystem.
• Should the ArbitrumDAO vote for the implementation/ratification of this framework, we wil then be proposing the setup of the Procurement Committee that will facilitate & administer this framework.
• The proposal for the procurement committee will also contain further details on the operational implementations that are to be effected in documenting, record-keeping, and disclosing material in relation to the procurement framework.

The document outlines a comprehensive procurement framework for the Arbitrum Ecosystem, focusing on sourcing and selecting service providers for blockchain security and related services. It comprises several key components:

• Needs Assessment: Identifying and prioritizing the specific requirements of the Arbitrum Ecosystem, including evaluating the current situation and determining market availability for the required services.
• Defining Eligibility Criteria: Establishing standards for technical expertise, reputation, tools and techniques, and financial stability that service providers must meet to be considered.
• Publication of Request for Proposal (RFP): Detailing the scope of work required and the submission guidelines for prospective service providers, along with evaluation criteria and a timeline for the procurement process.
• Proposal Submission: Requiring service providers to submit comprehensive documentation for evaluation, with submissions made via ArbitrumDAO Forums, allowing community feedback and private collection of sensitive information.
• Evaluation of Proposals: This includes initial screening for eligibility, in-depth technical and commercial evaluations, reference checks, and possibly interviews, with a focus on transparency and community involvement.
• Whitelisting, Onboarding & Contracting: Selecting the most suitable service providers, conducting Know-Your-Business processes, facilitating contract negotiations, and finalizing approval of agreements.
• Ongoing Obligations and Ancillary Matters: Monitoring performance, establishing feedback loops, setting renewal criteria, outlining exit strategies, and ensuring thorough documentation and record-keeping using tools like Airtable for transparency.
• Public Disclosure: Making key details of the procurement process and the list of whitelisted providers publicly available, respecting confidentiality agreements.

1024×768 57.2 KB

OVERVIEW

[1] On the 3rd of November, DK (Premia) posted a proposal on the Arbitrum DAO Forums aimed at establishing a framework for security-oriented proposals via a consolidated framework (Proposal: The Arbitrum Coalition). By way of a summary, the proposal on the Arbitrum DAO forum discusses establishing a Request for Proposal (RFP) process to consolidate the selection of auditors and security service providers within the Arbitrum ecosystem (for the purposes of this endeavor, we shall be referring to this consolidated framework as the ‘Procurement Framework).

[2] The Snapshot Vote for the establishment of the aforementioned Procurement Framework has since passed (Snapshot).

[3] On the 10th of November, Immutablelawyer posted a public consultation period on the Arbitrum Forums (ref. Public Consultation re. 'Consolidate Security Proposals into an RFP Process'). This contained a base-line framework aimed at giving some context to community members & relevant stakeholders intending on participating in the public consultation. The Public Consultation ended on the 22nd of November 2023. Following calls held, submissions received & several discussions with numerous ecosystem participants, we would now like to present the final procurement framework for ratification via Snapshot.

We would like to thank all participants who took their time to provide insight in this endeavor. This was a true testament to the collaborative nature of this ecosystem.

Post on google doc: Snapshot Proposal Ratification: Procurement Framework - Google Docs

[Procurement Framework for Ratification]

1. ‘Needs’ Assessment

• Gather Phase: Collect detailed information on what is needed in the Arbitrum Ecosystem. This involves understanding the specific requirements of the end-users, the goals of relevant stakeholders, and any constraints (budgetary, time, legal, regulatory, procedural etc.). This stage often involves interviews, surveys, or group discussions with stakeholders.
• Analyze Current Situation: Assess the current resources, systems, or services in place. Determine if there are gaps between the current state and the desired state. This analysis should consider whether existing solutions can be upgraded or if new solutions are needed.
• Define the Scope of the Need: Clearly define what is needed to address the gap identified in the current situation analysis. This definition should be as specific as possible, outlining the functionalities, features, quality standards, quantities, and any other relevant attributes that are relevant.
• Prioritize Needs: Not all needs have the same level of urgency or importance. Prioritize the needs based on factors like strategic importance, impact on operations, cost-benefit analysis, risk mitigation, and regulatory compliance.
• Assess Market Availability: Research the market to understand what products or services are available that meet the needs identified above.

1.1. Defining Eligibility Criteria

• Technical Expertise: Prospective Service Providers must demonstrate expertise in blockchain security, including prior experience with smart contracts, the Ethereum network, and Layer 2 solutions like Arbitrum.
• Reputation: A track record of successful security audits, with references and case studies.
• Tools and Techniques: Tools for detecting vulnerabilities, including static and dynamic analysis, and formal verification methods.
• Financial Stability: Proof of financial stability to ensure the longevity and reliability of the service provider.

2. Publication of the Request for Proposal (RFP)

• Scope of Work: Following the conclusion of the ‘Needs Assessment’ in the Procurement Committee will publish a request for submissions. This will be done via the ArbitrumDAO Forums wherein a detailed description of services required, including security audit scope, frequency, and expected deliverables will be provided by the PC.
• Submission Guidelines: Clear instructions on how to apply, including formats and submission channels will be provided for prospective applicants so that the approach is harmonized in nature.
• Evaluation Criteria: Metrics on how prospective service providers [as per ‘Eligibility Critera’].
• Timeline: Submission deadlines and timeline for the evaluation process.

3. Proposal Submission

• Documentation: Applicant service providers must submit comprehensive documentation, including company profiles, client testimonials, and detailed descriptions of methodologies.
• Submissions: Will be effected on a dedicated section of the ArbitrumDAO Forums. This way, the PC can already get a sense of community feedback prior to putting the security service provider through the procurement process. Financial statements will & other ancillary information will not be required to be posted publicly but will be collected through private channels.

4. Evaluation of Proposals

• Initial Screening: Verification of compliance with the minimum eligibility criteria.
• Technical Evaluation: In-depth review of technical capabilities, methodologies, and tools.
• Commercial Evaluation: Assessment of cost-effectiveness and value for money.
• References Check: Verification of the provider’s references and past performance.
• Interviews: The PC may conduct interviews with the top candidates.
• Emphasis should be placed on documenting each step of the procurement process and communicating select steps in a consolidated manner to the community for review & input.
• In this regard, the PC can set up a dedicated notion page wherein the aforementioned details can be inputted, and then linked from the Forum updates posted by the PC.

5. Whitelisting, Onboarding & Contracting

• Selection: The PC will select the most suitable providers to be whitelisted for service-subsidies based on them validly passing the procurement process.
• The PC will facilitate Know-Your-Business processes so as to make sure that all prospectively whitelisted service providers pass standard KYB checks.
• Contract Negotiation: The PC will facilitate & administer the process for the finalization of the contractual provisions regulating the engagement between the service provider chosen by the projects & the project itself. Most importantly, the PC has to ensure that the pricing ‘advertised’ by the service provider for the service requested is consistent with the agreement.
• Approval: Final agreements will be reviewed and approved by the PC before signing.

Ongoing Obligations of the Procurement Committee & Ancillary Matters

[i] Performance Monitoring and Review

• Regular Audits: Random checks by the PC during the audit process so as to ensure compliance with SLAs.
• Feedback Loop: A system for feedback from the projects utilizing the subsidized services. This will be pivotal in ensuring that the PC maintains a certain level of quality assurance so as to consistently assess whether any factors that led to the service provider passing the procurement process have changed.

[ii] Renewal and Exit Procedures

• Renewal Criteria: Every 4 months, the PC will re-evaluate whitelisted service providers by carrying out an assessment re. The Eligibility Criteria so as to make sure that Service Providers are still eligible.
• Exit Strategy: If a Service Provider is removed from the whitelist, the PC will publish an announcement outlining the reasons thereof.

[iii] Documentation and Record Keeping

• Audit Trail: All stages of the procurement process will be documented and records maintained for accountability and transparency.
• The PC will be using Airtable to document every stage of the procurement process.

[iv] Public Disclosure

• Transparency: Key details of the procurement process and the list of whitelisted providers will be made publicly available, respecting confidentiality agreements.

We look forward to your final feedback and potentially seeking the framework in action!

Kind regards,
Joseph (Immutablelawyer)
Axis Advisory

Thank you for creating a framework @Immutablelawyer . I generally support an RFP methodology for service providers and this could extend to any service provider agnostic of domain.

Questions:

• What mechanisms are in place to prevent any preferential treatment or biased language in the RFP that could favor certain service providers?
• How will confidentiality of sensitive information submitted by service providers be maintained?
• How will situations where a whitelisted service provider failing to meet performance standards or faces issues in the service delivery be handled?

General feedback:

• The DAO needs to ensure that the needs assessment is not influenced by specific vendors.
• In order to avoid potential conflicts of interest the Procurement Committee should not include current or former members of security service providers.
• Implement a scoring system and clearly defined evaluation criteria to minimize subjectivity, and provide transparency on the evaluation process.
• Explore the possibility of establishing an independent oversight body or allowing community members to participate in specific stages of the procurement process.
• Establish a feedback loop that allows for iterative improvements to the procurement process.

Appreciate your comment @jengajojo !

• What mechanisms are in place to prevent any preferential treatment or biased language in the RFP that could favor certain service providers?

Answer: Once a needs assessment is carried out (in this case, the need is naturally security-oriented services), the PC will draft a Request-For-Proposal. The Request-For-Proposal is always generic in nature and strictly adheres to the needs identified in the Needs Assessment. Hence, one cannot favour service providers here - it will be open to all SPs that provide services in conformity with the need (there is no gatekeeping).

• How will confidentiality of sensitive information submitted by service providers be maintained?

Answer: We are currently in discussions to have the sensitive information (such as financial statements that show the good financial standing of a SP), collected via independent third parties such as Fractal as part of the KYB process.

• How will situations where a whitelisted service provider failing to meet performance standards or faces issues in the service delivery be handled?

Answer: Whitelisted SPs will be monitored on an ongoing basis. The PC will be carrying out random checks both on the project side and the SP-Side during the contractual period for the service to assess the quality of service and gather feedback from projects on the quality of service offered by the SP. Furthermore, as per the [Renewal & Exit Procedures] Section - every 4 months, SPs will have to resubmit their documentation re. the Eligibility Criteria so that the PC makes sure that the standard that led to them being whitelisted, has remained the same. If not (let’s say a SP is no longer financially sound), the SP will be removed from the Whitelist.

Really appreciate your questions & also your general feedback @jengajojo ! Will definitely take these into account even when discussing the operational mechanisms of the Procurement Committee in our next proposal, should this Framework be ratified!

Kind regards,
Joseph (Immutablelawyer)
Axis Advisory

Many thanks to you both for the time spent putting this together. It is very thoughtfully designed and well-written. We think it’s a great framework that is going to significantly increase efficiency, transparency, and most importantly effectiveness of security services for the ecosystem.
We had one question though - how do you expect the ‘service subsidies’ to work? Our hope is that subsidies would be applied in an equal manner regardless of the service provider selected, but any detail you can share there would be helpful.
We look forward to the ongoing dialogue and to eventually participating in the process.

Thanks!
Halborn

Hey guys!

Firstly, thankyou for participating in the public consultation round - your input was valuable.

Right now, our immediate scope was setting up the framework. The funding for the SP Subsidies is currently being worked on separately. I wouldn’t want to give you a half-baked reply and thus, I will pin this comment for reference and reply in full detail once the matter is finalised. However, keep in mind that the underlying principles @dk3 & I worked with are [1] An open-door policy approach & [2] Equitable & Non-preferential mechanics. Hence, rest assured that the subsidy parameters will naturally reflect these principles!

Kind regards,
Joseph (Immutablelawyer)
Axis Advisory

Proposal Outline and Importance

This proposal aims to create a structured framework for selecting security service providers within the ArbitrumDAO. Its focus is on enhancing project integrity and security across the Arbitrum Ecosystem, which is critical for maintaining high standards and building trust within the community. This initiative is key for ensuring a streamlined approach to security, which aligns with Arbitrum’s objectives of safeguarding its ecosystem.

Improvements and Recommendations

• While the proposal’s goals are clear, it could have further clarification on how the framework will evolve with changing security needs
• The proposal could be strengthened by including case studies or examples of similar frameworks positively impacting other ecosystems

Closing Remarks

We support the proposal’s aim to establish a comprehensive procurement framework for security services within the ArbitrumDAO. It addresses a crucial need within the ecosystem and, if implemented correctly, could significantly contribute to the safety and integrity of the Arbitrum network. We look forward to seeing these improvements discussed, which would solidify our already strong support for this initiative.