The foundation funds/sponsors core infrastructure development directly. The Council approves budget proposals from the management to pay for the development, maintenance and operations of code and services that are essential to the basic operations of the Provenance Blockchain network. Note that core infrastructure funding does not use member voting mechanisms for approval. The reason to streamline the core infrastructure funding is to avoid situations where tasks like upgrades, maintenance, and release management, would have to compete for funding with sexy, shiny new research projects, which could jeopardize the quality and service level of the Provenance Blockchain network and operations.
{% hint style="info" %} Note: List of core infrastructure projects is work in progress... {% endhint %}
Bug fixes, small enhancement, following Cosmos SDK updates/bugs, release management and coordination. Github repo management and support, maintainer/committer management Effort: Ongoing - 2 FTE Bounty: 2 $200k/y = $400k/year Provenance Blockchain Code and Deployment Hardening Institute regular penetration testing and code-reviews of the Provenance Blockchain SDK, Client Contract Environment, and the Blockchain/Validator.
Effort: 2w/6m - pentester/code-reviewer - ongoing - twice a year
Bounty: 4 $5000 = $20,000
Because the Provenance Blockchain network is distributed among many peers, resolving a security incident poses extra challenges. By analysing the different threat vectors, and their associated remediation, it becomes clear how the community has to respond to security incidents. Validators may have to share contact information of their 24*7 on-call staff, etc.
Effort:
Bounty:
Protecting the integrity of the Provenance Blockchain Validator network is crucial to the success of the Provenance Blockchain ecosystem and its acceptance. Deploy endpoint protection agents on the Validator nodes and monitor them centrally for any intrusion or not-normal behaviour. Engage CrowdStrike or Palo Alto Networks for a possible solution that could include an outsource managed SOC. We may want to gently force or incentivise validators to become part of the endpoint protection monitoring by paying higher fees or increase the selection choice weight when a validator runs the endpoint protection agent. Offering a blockchain network with better integrity protection with respect to other similar networks, would give competitive advantage especially for DeFi apps.
Effort: vendor management and point of contact for escalation
Bounty: > $100k/year
Augment the SDK with functionality that facilitates and automates required controls for Provenance Blockchain client-deployment compliance requirements concerning PCI, GDPR, CCPA and/or ISO27001/NIST.
Effort: 4w - dev
Bounty: 4* $3500 = $14,000
Improve fine-grained logging and instrumentation to the Provenance Blockchain SDK code allowing the deployment to be better monitored for performance and possible security-related issues.
Effort: 2w - Dev
Bounty: 2 * $2500 = $5,000
Engage BugCrowd or HackerOne to set up a formal BugBounty program. Effort: discuss with BugCrowd/HackerOne what the best approach is for such an open source project...
Bounty: Probably $10-20k/year depending on number of found (severe) bugs.