Criteria for CIP Security Considerations

This discussion is focused on defining criteria that may be useful in the Security Considerations section of a Celestia Improvement Proposal (CIP). Therefore, the target audience of this post is CIP authors and reviewers.

Context

The CIP template contains a section dedicated to Security Considerations. Currently the boilerplate for this section includes:

All CIPs must contain a section that discusses the security implications/considerations relevant to the proposed change. Include information that might be important for security discussions, surfaces risks and can be used throughout the life cycle of the proposal. For example, include security-relevant design decisions, concerns, important discussions, implementation-specific guidance and pitfalls, an outline of threats and risks and how they are being addressed.

Problem

The boilerplate for the Security Considerations section is quite broad does not provide specific guidance on what should be included in this section. This may lead to inconsistent evaluations of the security implications of a CIP.

Proposal

Some criteria that I’d like to see explicitly included:

1. Battle tested: Does the proposed software have some history of deployment in production? If yes, have there been any known vulnerabilities or exploits?
2. Blast radius: If the proposed software has a vulnerability, what is the potential impact on the Celestia network? Does the proposed software introduce any new attack vectors?
3. Audit history: Has the proposed software been audited by a reputable security firm? If yes, what were the results of the audit? Has the proposed software undergone modifications since the audit?
4. Complexity: How complex is the proposed software modification?

Feedback

I’m interested in hearing from the community about what criteria would be helpful when evaluating the security considerations of a CIP. Are there any other criteria that should be considered? Are there any examples of other blockchain projects that have used a similar set of criteria to evaluate proposed software modifications?

I like the four points you layout here and think they would be good additions to the Security Considerations section.

For the Battle tested criteria, in most cases this would be referring to the adoption of a library that may be used currently elsewhere. For the proposal of a new protocol, there should probably be a mention of whether there is precedence i.e. was a similar component/system implemented on some other network