ZecSec: Zcash Ecosystem Security

The Future of Zcash Ecosystem Security

September 24, 2023 ∙ By Taylor Hornby

Starting in October, I will be stepping away from my role as the Zcash community’s resident security auditor and entering a sabbatical year to give more of my time to friends and family and to work on some hobbies outside of the cryptocurrency world.

I would like to extend thanks to the Zcash Community Grants committee and to the Zcash community for supporting my role over the past year. This has been an amazing opportunity to level up my bug-hunting skills, and together we’ve eliminated some risky bugs from Zcash community projects:

Distribution of Bugs Found

How will this affect Zcash’s security, going forward?

In my talk on Security Engineering at Zcon4, I surveyed the results of my work over the past year: 81 bugs discovered, 41 of which I rated as “medium”-severity or higher. These results show that the Zcash community benefits from the kind of security support that I’ve been providing.

So, I’ve recommended that the Zcash Community Grants committee fill in the gap I’ll be leaving through a combination of (a) putting out an RFP for a similar role, to perform audits and provide general security support and coordination, and (b) posting RFPs for individual project audits when the need arises.

ZCG is currently in talks with several organizations about filling in the role. (And to those organizations: I highly recommend taking on the role, working with ZCG has been great! It’s an incredible opportunity to be well-funded to support security for open-source privacy-preserving projects.)

Through some combination of funding individual audits and/or funding an organization to take on a security leadership role, the Zcash community will have excellent security support into the future, and I’m excited about the potential to attract new security talent to the Zcash community. I will, of course, remain available to the Zcash Community Grants committee to offer advice through this transition.

Lastly, another thank you to the Electric Coin Company, my previous employer, for the opportunity to work on Zcash and for the skills their engineers taught me, and to the Zcash Community Grants committee and the Zcash community again for the trust they’ve placed in me to secure the Zcash ecosystem over the past year.

I’m excited to see where Zcash heads next. I think the partnership with Brave will help Zcash find its footing and become a valuable product for many new users.