grants/w3p-03.md
2023-10-19 15:30:34 +02:00

2.7 KiB

  W3P: 3
  Title: Privacy features audit concept for security audit organizations & whitehackers (research)
  Status: preparation
  Type: Research
  Created: 2023-10-01

Contents

Context

90%+ of the privacy services in web3 lack basic security audit. High risk for anyone using them without a third-party attestation. At the same time, security audit companies aren't focused on privacy features but analyze smart contracts etc. So we want to increase the "security" levelling of the privacy services by facilitating new kinds of Privacy features attestation by white hackers (working for companies or themselves).

This will significantly protect the general public from compromised services with backdoors, poor code execution & false privacy claims. Meanwhile, it will prove privacy claims from the broader community, contributing to the latest encryption, ZK-research & other privacy-tech execution concepts.

Privacy features

Feature Observation
Selected privacy technology maturity latest, old (outdated) etc
Selected privacy technology delivery state of the privacy tech: test-net, poor code execution etc
Default privacy enabled, not; requires sigh-in, consent etc
Privacy policies (data collection policies) what data is collected & why; marking non-essential data collection practices
Non-consent data collection practices IP, wallet, balance etc
Anonymity set "data profile" service reveals/knows about you & how it cares about your anonymity set
Third-party privacy tech maturity If service is a part of ecosystem - security audit company comments on core tech privacy (Ethereum, Waku etc)
Traceability How traceable are transactions (if applicable)
Decentralization permission, permissionless etc

Additional

Feature Observation
Privacy risk low, medium, high

Comments

  • there's a thin line between privacy & security, so we approach it like this: if privacy is compromised -> it becomes a security issue (threat)
  • some privacy observations are ethical (like "compliance"), so tech companies couldn't say it's "good" or "bad" -> we will just highlight them on our public platform (like KYC, team reputation etc)

Contribute

  • Community member: discuss - Join Signal group, do - make Pull Request here
  • Privacy organization: donate - Contact, do - make Pull Request here
  • Security audit company: reflect - Join Signal group, do - make Pull Request here