Request for Proposal - The ADPC Security Services Panel and Procurement Framework

[Edit 20-Jun-2024: Changed “Appendix A” to “Appendix 1”]
[Edit 01-Jul-2024: Fix Typo in contact email. Correct email address is: arbitrumdaoprocurementcommitte@gmail.com]
[Edit 05-Jul-2024: extended deadlines]
[Edit 24-Jul-24: clarified evaluation period and updated submission dates to reflect the official dates]

This post officially launches the ADPC Security Services Panel and Procurement Framework and invites applications from security service providers and software auditors to become whitelisted Sellers on the ADPC’s new Security Services Panel.

We invite all prospective applicants to review the attached Application Process and Head Agreement for details on the evaluation criteria and response format.

The Application Process and Head Terms can be downloaded here.

Publish Date:

Wednesday, 19 June, 2024

Questions Close Time

12:00 UTC on Tuesday, 16 July

Close Date & Time:

12:00 (UTC) Monday 22 July 2024

Please Note: This is the only official RFP issued by the ADPC. It replaces all prior summaries, commentaries and drafts in relation the Security Services Procurement Framework.

This new panel will:

• establish the marketplace to allow whitelisted Sellers to offer services to Buyers (ergo, projects granted subsidies as per the Security Services Subsidy Fund Proposal) under pre-agreed terms, conditions and pricing;
• support Arbitrum DAO’s mission to take advantage of strategic sourcing opportunities available to market leaders;
• facilitate the proper use of grant funds in a transparent manner with a focus on value-for money considerations and probity with respect to the procurement process;
• improve efficiency and automation in the acquisition of commonly used services such as those offered by the security services and software audit industry.

The Procurement Framework is a mandatory procurement framework. The expectation is that Buyers and Sellers must abide by the terms of the Procurement Framework in order to take advantage of the subsidy fund for security services This includes the requirement for Buyers and Sellers to agree to the Head Terms and Work Order Terms (see Schedule A of the Head Terms) as well as executing the mandatory waivers referred to in Appendix 1 of the Application Process.

What is the Procurement Framework?

To provide some context on the undertaking here: the Procurement Framework Head Agreement, Templates and Application Process will establish the industry’s first ever strategic sourcing procurement framework. You can find out more about the background to this in the Tally vote establishing the ADPC here.

The Application Process Document is effectively an RFP allowing the ADPC to evaluate and select whitelisted security service providers who can then engage with buyers under a pre-agreed set of marketplace rules and pricing under the Head Agreement. The Head Agreement included within the Application Process has been prepared by the Arbitrum Foundation who will be the counter-party for service providers whitelisted by the ADPC.

The marketplace will be established with pre-agreed legal and engagement terms whereby whitelisted service providers (Sellers) can offer their services to grant recipients (Buyers) referred to in this Snapshot.

For a high level representation of the Framework and flowchart, this diagram will help:

Whitelisting Process701×359 37.6 KB

Subsidy Applicant Screening1920×969 74.1 KB

Marketplace Process2000×1496 201 KB

What is the Rationale for this Approach?

This Procurement Framework has several distinct advantages. This Framework:

• Is Arbitrum DAO focused and value accretive (as explained below);
• Allows emerging projects to rapidly engage audit/security service providers without having to run their own RFP process or pay costly legal fees associated with the typically lengthy negotiations to establish service agreements. This time/cost saving allows ecosystem builders to spend more time on building and less time on admin;
• Generates significant buying power for Arbitrum DAO if used as a mandatory procurement vehicle;
• Retains open market, competitive tension between service providers. Once the whitelisting process is complete, the ADPC plays no further role in selection of service providers for specific projects. The Buyer retains flexibility to choose the Seller best suited for their scope and budget;
• Establishes high levels of transparency in the procurement process; and
• Will benefit Sellers by creating a level playing field for both new entrants and established organisations.

The Framework is adaptable in nature. The strategy and model documents employed are based on well-established strategic procurement methodology that can be re-used in other procurement contexts. These templates are designed to be used by Arbitrum DAO to facilitate any other procurement in the technology sector. Software, hardware, professional services, Cloud Services, Game Development, AI, etc. can be procured through a framework established via the Application Process template, Head Terms and Work Order Terms, adjusted to suit the vertical being procured.

Currently, the scope of “buyers” is limited to the cohort of grant recipients approved under the Subsidy Fund discussed here. However, this set can be extended to include other groups, each of which can have bespoke rules applied if necessary. This will allow other grant programs to take advantage of the current framework if approved by Arbitrum DAO, with suitable adjustments to the terms.

Application Process

Applicants should apply via the Application Form below:

Points to Note

• Please fill in the following 4 fields (Name, Email, Point of Contact, Company Description) in the application form and submit your entire document containing answers to all of the questions outlined in the Application Process Document (Part 2, Matters Containing Application Response) in PDF format.
• If your document exceeds the 10MB maximum file size, please email us your response in PDF format to arbitrumdaoprocurementcommitte@gmail.com. The document you submit via the application form or via email should be the entire response containing all information, including confidential information.
• In addition to your submission on this form, please submit a scrubbed PDF without any confidential information as a shareable PDF link as a response to this forum post. Include the following details on your forum post response along with the scrubbed PDF link: Name, Email, Point of Contact, Company Description.

Timelines

As mentioned above in this post, applicants will have 4 weeks to respond to the RFP, starting on the day of publication and extending until 12:00 (UTC) Monday 22 July 2024 (Closing Time). You are welcome to submit your response before the Closing Time.

Following this, the ADPC and DeDaub (as ratified in this Snapshot vote) will review responses for a period of approximately 4 weeks from 22 July to 19 August (however this may take longer depending on the number of applications submitted). Any discussions and clarifications from the ADPC with applicants will take place during this period however all questions must be submitted to the ADPC by the Questions Close Time of 12:00 UTC on Tuesday, 16 July.

Points to Note

Please note that for reasons of probity and ensure a level playing field, we cannot answer questions for any individual applicant without communicating the question and response to the broader set of applicants. Questions can be anonymised on request. Applicants are encouraged to join this Telegram group for further communication and questions:

https://t.me/+lyn8LCx7_3U5NTU0

Next Steps

The ADPC bi-weekly session on Thursday 27 June will be used as an FAQ session for applicants to ask any questions. For any other questions, feel free to ask them directly on the Telegram group before the Question Closing Time.

Future Work

The model documents and procurement strategy used in this Procurement Framework can be used for other verticals of goods and services but are not completely modular in nature as the legal documents need to be redrafted and the frameworks created from scratch each time.

It is possible to create legal documents that allow for an additional level of abstraction in the procurement framework - a “framework of frameworks”. Such higher level procurement frameworks are common in the public sector but have never been implemented in a Web3 context.

The ADPC has already started developing improvements to this framework for its next term (should Arbitrum DAO agree to an extension). This includes an updated abstracted model to simplify procurements further and provide a completely modular approach that retains a single set of Head Terms and Work Order Terms with modular marketplaces added and removed over time as dictated by the needs of Arbitrum DAO. This future model will also expand on the use of code deference provisions tied directly to on-chain governance to permit the DAO to directly control the creation and wind-down of procurement frameworks.

As mentioned above, the Framework has the potential to generate significant buying power and cost savings across Arbitrum DAO if used as part of a strategic sourcing initiative. In more advanced phases, this aggregated buying power can be offered to other Arbitrum DAO-aligned protocols and projects at a fee - income that can be returned to treasury and put toward other Arbitrum DAO initiatives.

We will expand on these initiatives in future posts.

Nethermind Security ADPC Proposal (Forum Version)
Company Description:
Nethermind’s work touches every part of the web3 ecosystem, from layer 1 and layer 2 engineering, cryptography research, and security to application-layer protocol development. As core contributors to Ethereum’s development, our execution layer client plays an important role in advancing the network, and we actively collaborate with the broader Ethereum community. Within the Starknet ecosystem, we deliver infrastructure and developer resources, including a node implementation, a block explorer and API platform, and plugins for Starknet builders.
We offer strategic support to our institutional and enterprise partners across blockchain, digital assets, and DeFi. Our team is equipped to guide you through all stages of the research and development process, from initial concepts to successful implementation.
On the Security front, Nethermind Security is composed of an amazing team of auditors for both Solidity and Cairo. Nethermind Security is perhaps the biggest Cairo auditing firm and one of the most prominent and respected Solidity auditing firms. Our Nethermind Security clients include Worldcoin, Ethereum Foundation, Starknet, zkSync, EtherFi, Swell, Gnosis, Gyroscope, Ondo, Puffer, and many others. Apart from smart contract auditing, Nethermind Security also provides specialized formal verification in ZK-circuits verification, EVM-based smart contract verification, and Starknet smart contract verification, and our real-time monitoring team designs custom Forta Network detection bots for blockchain protocols.

Here is a link to some of our public audits
Here is more information about Nethermind Security

Point of Contact: James Baggett, VICTOR
Email: james@nethermind.io, nethermind-security@nethermind.io
Telegram: @bitc0x

Guardian ADPC Proposal
Company Description:
The Guardian team boasts extensive Smart Contract security expertise, having uncovered over 1,000 Smart Contract bugs and vulnerabilities over the last two and a half years. Guardian specializes in only Solidity reviews and spares no efforts with our devastatingly effective and novel approach to Smart Contract security.

More specifically, the Guardian team has safeguarded hundreds of millions in TVL held in some of the most impactful Arbitrum ecosystem protocols, such as GMX, Abracadabra Money, Synthetix V3, and Dolomite among others.

Company Name: Guardian
Email: audits@guardianaudits.com
Point of Contact: Owen Thurm

Scrubbed PDF: Scrubbed_Guardian_Arb_Proposal.pdf - Google Drive

Name: Sherlock
Email: chris@sherlock.xyz
Point of Contact: Chris Stevenson

Sherlock is a leading security company dedicated to safeguarding Web3 with its revolutionary audit contests, in which the world’s leading security researchers compete to find vulnerabilities in users’ code bases. Our unique approach combines the meticulous focus and collaboration of traditional audits with the breadth of security expert participation from an audit contest, creating a “best of both worlds” solution.

Simply put, Sherlock consistently finds more critical/high-severity bugs in less time than other audits.

Sherlock’s consistent track record of exceeding expectations has fueled high demand for our audits, supported by the number of projects that return for a second audit after their initial success. This list includes:

Optimism, GMX, Ajna, LooksRare, Gitcoin, Index Coop, Rio Network, Opyn, Notional, OlympusDAO, Lyra, Perennial, Sentiment, Symmetrical, BOND Protocol, Merit Circle, DODO, JOJO, NounsDAO, Footium, Illuminate, Union Finance, Unstoppable/Alchemix, WAGMI, Blueberry, Telcoin, Cooler, Teller, Sense and many others.

We have completed over 185 audits with a 98% success rate of finding at least a Medium-severity level vulnerability.

Please find our complete application at this link.

Other Links:

Website
Sherlock Active Audit Page
Past Audit Reports

Case Study 1: Tokemak Case Study
Case Study 2: Index Coop Case Study
Case Study 3: Ajna Finance Case Study
Case Study 4: Perennial Case Study

Please find OpenZeppelin’s Application Response to join the ADPC Security Services Marketplace here: OpenZeppelin ADPC Application (PDF) - Google Drive

Name: OpenZeppelin
Email: sales@openzeppelin.com
Point of Contact: Michael Lewellen
Company Description: Founded in 2015, OpenZeppelin is the world leader in securing blockchain applications and smart contracts. Its bedrock open source Contract Libraries are a public good and industry standard for smart contract development. OpenZeppelin’s professional expertise, unified with the Defender developer security platform, integrates through clients’ development lifecycles, so teams can plan, code, audit, deploy and operate projects faster and more safely.

Name: Stephen Tong (Co-Founder and CEO, Zellic)

Email: stephen@zellic.io

POC: Kaushik Swaminathan (Head of Growth, Zellic), kaushik@zellic.io

Company Description:

Zellic is a vulnerability research firm with deep expertise in blockchain security. We specialize in EVM, Move (Aptos and Sui), and Solana, as well as ZK and Cosmos. We identify complex vulnerabilities and prevent catastrophic security events.

We work with some of the largest L1s—Solana Foundation, Aptos Labs, and Mysten Labs—and L2s—StarkNet, Scroll, and Mantle—to identify bugs in networks, application layers, custom precompiles, and more. We review L1s and L2s, cross-chain protocols, wallets and applied cryptography, web applications, and more. We also have a dedicated zero-knowledge cryptography team, and work closely with projects like Scroll, Axiom, and Succinct Labs.

Zellic is led by Stephen Tong and Jasraj Bedi, who previously founded the #1 CTF team worldwide in 2020, 2021, and 2023. Our engineers bring a rich set of skills and backgrounds, including cryptography, web security, mobile security, low-level exploitation, and finance. We’re also a founding member of the Security Alliance (SEAL) led by samczsun, an industry effort to raise the bar for blockchain security.

ADPC Application: Link

Name: Eduardo Morgado

Email: eduardo.morgado@threesigma.xyz

Point of Contact: Eduardo Morgado, CEO eduardo.morgado@threesigma.xyz

Telegram: Telegram: Contact @maverickk90

Company Description: Three Sigma is a blockchain engineering firm that specializes in code auditing, development, economic modelling, and risk assessment services. By working closely with crypto founders, our mission is to empower their protocols for long-term success and thriving in the blockchain ecosystem. We conduct comprehensive audits of codebases for clients and projects intended to be deployed on the blockchain. Our primary objective during these audits is to ensure the correct functionality of the code and identify any bugs or errors that could potentially lead to financial losses of billons of dollars or other detrimental consequences. This service requires a high level of technical expertise as we meticulously analyze the codebase to guarantee its integrity and reliability.

Here is a Google Drive link containing the proposal and all relevant attachments: Arbitrum Proposal - Google Drive

Dear Arbitrum DAO frens,

Name: Ofir Perez

Email: sombrero@hats.finance

Point of Contact: sombrero@hats.finance

Company Description: Hats is a decentralized protocol for hosting non-custodial bug bounties and audit competitions.

Link to the scrubbed PDF: Hats Finance Arbitrum Proposal (Copy of MARKETPLACE PANEL APPLICATION PROCESS and CONDITIONS.pdf - Google Drive)

Greetings — Vlady Che from Hacken here. I appreciate the great effort in putting this RFP together and the consultative support by the ADPC, the Committee, and all entailing entities.

Email: v.che@hacken.io
Point of Contact: Sr. Partnership Manager
Company Description:
Hacken is a trusted blockchain security auditor on a mission to make Web3 a safer place by contributing to security standards.

Established in 2017, we have audited 1,200 clients. As a vertically-integrated company with 150 global talents, including 60+ certified engineers and 10 CCSSAs, Hacken delivers high-quality solutions at every level of blockchain security.

As a contributor to the European Blockchain Regulatory Sandbox, Abu Dhabi Global Market, the Enterprise Ethereum Alliance EthTrust Security Levels Specification and a member of INATBA, over 180+ Web3 projects choose Hacken as a trusted security partner. We are continuously raising the bar for blockchain security.

Our services include Smart Contract Audit, Blockchain Protocol Audit, dApp Audit, Penetration Testing, and CCSS Audit. Our product portfolio features HackenProof bug bounties, CER.live cybersecurity ranking, and Extractor on-chain monitoring.

Hacken’s security services are recognized by CoinGecko and CoinMarketCap.

Hacken clients and partners include top-industry players, such as 1inch, BNB chain, DAO Maker, Gate.io, HTX, NEAR, OKX, MetaMask, and the European Commission, to name a few.

Link to the scrubbed proposal for ADPC: ADPC Hacken Proposal.pdf - Google Drive

Other links:

• Public audit reports: https://audits.hacken.io/
• Hacken’s post-deployment security solution for attack detection and prevention: https://extractor.live/
• Hacken’s Bug Bounty platform: https://hackenproof.com/
• Partners: Partners - Hacken
• General deck: Hacken, Blockchain Security Auditor.pdf - Google Drive

Cyfrin is a leader in Web3 security, providing a comprehensive suite of services, including smart contract audits, open-source developer tools, and educational resources. Our commitment to quality and thoroughness is demonstrated by our Multi-Phased Audit approach, which combines private audits conducted by Cyfrin and competitive audits facilitated through our CodeHawks platform.

Cyfrin’s multi-phased approach, combining expert researchers and a dynamic security community, ensures meticulous vulnerability assessments and enhances security for Arbitrum projects. Our extensive industry expertise is evidenced by our work with some of the largest protocols and blockchains, including Chainlink, Wormhole, Swell, Casimir, Ondo, Beefy, Linea, zkSync, TempleDAO and others.

Please find Cyfrin’s Application Response to join the ADPC Security Services Marketplace here: Cyfrin ADPC Security Service Panel Application

Company Name: Cyfrin
Point of Contact: Mark Scrine
Email: mark@cyfrin.io, audits@cyfrin.io

Name: Joe Suzuki
Email: jsuzuki@immunefi.com
Point of Contact: Joe Suzuki, Senior Account Executive

Company Description: Founded in December of 2020, Immunefi is the leading crowdsourced security platform that offers managed bug bounty programs and audit competitions to the largest and most prominent set of blockchain projects across all ecosystems. As of July 2024, Immunefi actively protects over $150B in user funds across 340+ programs, representing approximately over 85% of all user funds protected by bug bounty programs in Web3.

Immunefi has the largest blockchain and smart contract proficient Security Researcher (SR) community with +45,000 registered users. Additionally, Immunefi’s community is the most talented in the world with over 1,000 elite level SRs (those who discovered a bug of critical severity - defined in terms of impacts including direct theft of funds, permanent freezing of funds, total network shutdown, etc). As of June 2024, we have paid out over $100M in bounties paid to SRs in 3.5 years, more than all other crypto crowd security platforms combined.

Immunefi provides both preliminary and the last line of defense in security to over 340 top tier clients such as Arbitrum, LayerZero, MakerDAO, GMX, Wormhole, Optimism, EigenLayer, among others.

Link to the scrubbed proposal for ADPC

Name: Mohammad Rayhan

Email: mohammad@spearbit.com

Point of Contact: Mohammad Rayhan

Telegram Contact : @mhdcryptox

Company Description: Spearbit Labs is a distributed network of industry-leading security researchers that tackle the most complex and mission-critical protocols across the web3 industry. Spearbit Labs was spun out of the Ethereum Foundation (EF) and the US Army to provide security advisory, audits, monitoring, competitions, bug bounties, and incident response services for organizations like Coinbase, Polygon, Optimism, Matter Labs, and OpenSea.

Here is a Google Drive link containing the proposal and all relevant attachments: Spearbit - Proposal

Contact Information

Name: Onkar Mule
Point of Contact: Onkar Mule, Head of Business Development.
Email: onkar@hyacinthaudits.xyz
Telegram: @theonkxr

Company Description

Hyacinth Audits, launched in 2023, is a decentralized peer-to-peer auditing platform. We connect top-tier solo auditors with projects, offering customizable, onchain validated audits across multiple ecosystems, including Arbitrum.

For more details: Arbitrum Security Application

Update Regarding Whitelisting of Security Service Providers:

The ADPC, with support from DeDaub, has conducted its review of RFP responses for the whitelisting of security service providers. We are pleased to announce that we have moved 9 of the 12 applicants to the last phase of the whitelisting process. The remaining tasks involve finalising legal agreements and resolving a few outstanding questions. Upon completion, the ADPC will officially announce the whitelisted security service providers.

Really great to see this program progressing, in terms of process have some questions.

• are the 3 of 12 that were reduced, was it as a result of them not meeting certain requirements or a mandate to limit the number of whitelisted participants
• if it was due to not meeting requirements, were they informed and given an opportunity to correct any submission deficiency?

Thanks for these questions @coinflip and thanks for the kind feedback.

While we can’t give out the specifics of the reasons in each case (due to confidentiality and out of respect to the applicants), we’re happy to clarify the approach taken as this could be useful for future RFPs conducted by the ADPC:

Evaluation Process

• The ADPC had no pre-defined number of applicants we wanted on the whitelisted panel. As this is the first time the industry has conducted this type of open tender, we wanted to wait and see the applications as a whole before making any decisions.
• The evaluation criteria were clearly stated in the RFP and this set out the key principles against which the evaluation was conducted.
• The ADPC conducted a rigorous evaluation in accordance with the RFP terms to ensure all applicants were subject to an “apples-for-apples” comparison while recognising differences in delivery model and size of organisation.
• In passing, I should add that the ADPC was really pleased to see the high standard of RFP responses and respect granted towards the process.
• On completion of the evaluation scoring, the ADPC was left with 2 distinct groupings of applicants with one group of 9 submitting stronger applications in aggregate. That group has been moved through to the next phase.

Post submission adjustments

• The ADPC reviewed the applications as submitted by the RFP deadline. Keep in mind that the deadline was extended by the ADPC to account for EthCC but we did not provide special dispensation to individual applicants to adjust their submissions after the deadline as this would have made the deadline meaningless and would have been extremely unfair to other applicants who submitted strong applications by the cut-off date. In our view, there was ample time to put together a professional response.
• The ADPC welcomed feedback on the Application Process and evaluation criteria and received numerous questions from applicants submitted before the Question cut-off date. We also conducted several open AMA sessions.
• Answers to questions (other than those relating to confidential information) were shared with all applicants so that everyone had equal access to the ADPC’s clarifications in relation to each question raised. Except for the AMAs, this was done in an anonymised fashion so that applicants could ask as many questions as they liked without creating a competitive disadvantage.
• The ADPC did not score applicants differently on how many questions were asked or type of questions raised. This was not part of the evaluation criteria.
• This approach of (a) sticking to a common set of RFP rules and (b) transparency in relation to communications is part of what is referred to as “tender probity” or tender hygiene - avoiding favouritism, and providing all applicants a level playing field wherever possible.
• And while we would have loved every application to be at the same high level, that had to be balanced with a desire to maintain competitive tension and probity through the process.

I hope this clarifies things.

Hello, I represent Oak Security. We understand, of course, that this complex process is closed and the deadline has long passed.

However, some of our existing clients have expressed an interest in building on Arbitrum and this program but would prefer to work with us.

Are there any plans for a process for adding additional providers to the whitelist in future or for another RFP? Thanks!

Hi @oak_sec, good to hear from you. At this point, we are in the process of completing the pilot phase for the Security Services Subsidy Fund. Once this pilot is complete, we will take the learnings from it and identify the desire from the Arbitrum community to further expand this pilot fund. If the community expresses an interest in expanding the fund, we will potentially incorporate a process to add additional providers to the whitelist - however, this is all dependent on 1) the success of the pilot phase and 2) the desire of the Arbitrum DAO community to continue / expand the fund. Hope this helps!