Modification: Notary Rubric - Refactoring definitions for leveling in "In-protocol security"

[dkkapur]

Issue Description

The leveling for "In-protocol security" introduces an increasing time range over which the notary should have main "sustained" contributions, as well as introduces new terminology for "severity levels" of vulnerabilities found/fixed in the protocol/services rather than using the standard terminology used by the Filecoin Security Program.

Currently, the time range is not clearly defined, i.e., does it start from when someone participates in the community, or from their first submission of a security vulnerability?

Additionally, there are no clear definitions for "serious" or "major" as used to define the impact of someone's contributions to the network's security. This also creates confusion since the terminology does not map to what is used by the Filecoin Security Program.

Impact

Clarifying imprecise terminology and mapping to existing definitions will make the scoring process more consistent.

Proposed Solution(s)

Remove time range of contributions dimension

Remove the time dimension from this row, since the "in-protocol security" factor should be defined based on the usefulness of the contributions to the security of the network.

Introduce new criteria for security contributions

For leveling from L1-L5, introduce a new criteria that uses the severity of bugs reported / issues found and the quantity of contributions made, where:

• "severity of bugs reports / issues found" is defined as per the Filecoin Security Program - which uses the OWASP Risk Rating Methodology = [note, low, medium, high, critical]
• "quantity of contributions made" is the raw sum of bugs found, vulnerabilities reported, and issues fixed

Mapping these to values that can be used to differentiate between L1-L5 is open for discussion.

Related issues

[s0nik42]

It definitely make sense to align terminology. You should maybe precise if "quantity of contributions made" is time bound

[jnthnvctr]

I propose for now we leave it unbounded for time - I think we can update this in the future to add some restrictions (but I think any reasonable time frame would extend a few years back - so maybe we can punt on this until the protocol is a few years old)?

[s0nik42]

:)

[jnthnvctr]

@s0nik42 / @dkkapur any ideas on buckets for L1-L5?

We have:
L1: Contributions in identifying, responsibly disclosing, and fixing multiple low security vulnerabilities in protocols or services in the Filecoin community

L2: Sustained contributions identifying, responsibly disclosing, and fixing multiple medium serious protocol or service vulnerabilities, in the Filecoin community

L3: Sustained contributions identifying, responsibly disclosing, and fixing high/critical protocol or service vulnerabilities, in the Filecoin community

L4: Sustained contributions identifying, responsibly disclosing, and fixing multiple high/critical protocol or service vulnerabilities, in the Filecoin community

L5: L4 Requirements