Members of the RWG are tasked with spearheading security operations at Inverse. This position comes with five major directives highlighted in the section below:
Security Operations Liaison
The RWG drives security-related cooperation between working groups and between third party auditors/security consultants and the DAO, mediating a close working relationship between individuals and between organizations.
In practice, the RWG:
Manages the bug bounty program and manages third party security vendors
Understands and ensure enough due diligence activities are conducted as part of new solutions coming out of Inverse, making security recommendations from a holistic value chain perspective.
Works with internal and external talent to improve the DAO’s security posture
Internal Auditor
The RWG conducts interviews with the heads of other working groups to understand, define, and document all risks associated with their day-to-day activities in an effort to record Inverse’s business operations, contributors, and investments in the Risk Register. As a reminder, the Risk Register is one of three mandates of the RWG that’s purpose is to identify risks.
The RWG also set a recurring cadence to apply this risk identification process for existing products and new business opportunities to identify new and emerging risks.
Incident Response Facilitator
The RWG assumes the role of the "facilitator" in the DAO's Incident Response Protocol. The Facilitator plays a vital role in mediating the emergency handling and ensuring the process described in the page linked above is followed, engaging with the correct stakeholders and teams in order for the necessary decisions to be made quickly. A suitable Facilitator is familiar with the process and is confident that they can drive the team to follow through. It's expected that they have relevant experience either from having worked real scenarios or through drill training.
Disaster Training Coordinator
The RWG is tasked with training the response team for different types of incidents. This comes in the form of "Fire Drills"; unannounced security drills that simulate real-world scenarios, such as a hack or a technical issue, used to measure our response time as a team. By regularly conducting security operations fire drills, we can ensure that our team is prepared to handle any security challenges that may arise, and that our users' assets are protected at all times.
Threat Modeling
RWG supports the PWG's effort in conducting threat modeling, which is required prior to any smart contract deployment at Inverse. In practice, threat modeling involves analyzing the system architecture, recognizing potential attack vectors by studying past exploits in the DeFi ecosystem, and evaluating the impact of a successful attack. By incorporating threat modeling into Inverse's smart contract review process, our developers can proactively design security controls and countermeasures that mitigate or eliminate potential security threats, ultimately improves Inverse's security posture.
To best succeed at this mandate requires RWG members to possess the following attributes:
A comprehensive understanding of the internal team structures and processes of the DAO
An innate knack for scrutinizing and auditing past and present work from the various working groups, and a disposition towards logging and bookkeeping.
Deep industry knowledge and to be resourceful in seeking out external validation and cross examination from experts.
[To be] a calculated communicator, as they will be required to drive conversation during internal audits, disaster training, and managing third party auditors/security consultants, and lead in the eventuality of a protocol-related incident.
