TL;DR: We’ve been so gratified and grateful to see how many builders working on DIDs (decentralized identity solutions) want to work with Gitcoin Passport! We’ve created a risk mitigation process to be sure that we’re safeguarding our community and using our brand reputation to hold up like-minded projects while we’re in early days, since stamp creation is not yet fully permissionless.
This new process is for the open source Gitcoin Passport product specifically, but stay tuned for similar docs to bring a distributed risk mindset to other areas of Gitcoin decision-making. Thanks to @kevin.olsen for co-sponsoring this post and guiding this process and for @jeremy commissioning this work!
In thinking through the risks posed by a new stamp provider, this doc provides a high-level framework of areas where we want to explore the risks that a new stamp could present. Anyone is capable of holding these contingencies in mind, and thinking through the ways we can mitigate. For priority level and balance of risk appetite, expert opinion may be needed to scope the likelihood of a particular threat manifesting.
If any high-level risks are identified, a risk mitigation proposal can be requested to scope way-forward and determine whether the risks are extreme enough to halt work with the stamp. While risk mitigation is under discussion, the pull request should not be pushed to production, but it is expected that other preparatory work could be done in tandem.
Anywhere where there is a threat posed either directly or indirectly to the Gitcoin community, we will note this and take next-steps to mitigate that risk before pushing the pull request for the stamp in question. In any case where we have a show-stopping risk (infringement of international law, direct harm to users, etc), we will close the PR with a clear “will not do” decision and the associated reasoning.
We commit to having these conversations publicly on the relevant pull requests in the Gitcoin Passport github and providing the team who created the pull request the opportunity to respond in the open.
You can checkout the full doc here!
Comment below if you think there’s anything we’ve missed, or if you want to continue the discussion further. Comments/quips/quibbles welcomed and encouraged - and if you want to read more high level thoughts on risk at the DAO, you can catch-up on my own thinking in this earlier post on Trust & Reputation.