[Temp Check] Governance Security: Compensating blockful for preventing a potential attack on the ENS DAO

I’m generally in favor of this proposal, but I would like to address concerns raised during a Meta-Governance Working Group call and in this thread which highlight some ambiguity regarding Blockful’s engagement with the ENS DAO.

Specifically, questions have emerged about whether Blockful’s efforts to identify and address a governance attack vector fall within the scope of their Service Provider engagement.

Blockful’s Service Provider Scope:

  1. In their Service Provider Application, while security reviews for executable proposals were included, Blockful excluded “DAO tooling to benefit the whole ecosystem” from their responsibilities as a result of their security review.
  2. Blockful contends that their role as a Service Provider allowed them to conduct deeper governance analysis, resulting in contributions like the creation of the Security Council, as noted in their report. However, these contributions may not fall under their original scope.

It seems the DAO knowingly engaged Blockful for the services outlined in their Service Provider application, with the understanding that certain tasks, such as “DAO tooling to benefit the whole ecosystem,” would fall outside the scope.

The question now is: does the governance security bounty fall under “DAO tooling,” and if so, shouldn’t the bounty be awarded by Meta-Governance? Or is it more like a bug bounty, as mentioned earlier in the thread? I’ll let @alextnetto.eth elaborate, but it seems that Security Review is an emergent responsibility deserving compensation for its successful contribution.

Should Security Review fall under the purview of Meta-Governance? If so, consideration should be given to including it in the budget for future terms, ensuring the onus does not fall on the DAO as a whole. Additionally, this discussion calls for a closer look at procedure, as we should strive to avoid ambiguity wherever possible.