🔐 (Descentralised) Security

In much the same way we've decentralised the organisation and applications, we've done the same for security. – @petty

Decentralisation redistributes power - but it also redistributes risk. As people gain direct control over their digital rights and assets, yeah, you effectively become the primary attack surface in cyberspace.

We believe in the sovereignty of individuals. As such, we don't enforce or encourage intrusive policies, we don't actively monitor your online activity, and we don't remotely control your devices.

Our goal is to empower ourselves to collectively protect the organisation by:

• Recognising and understanding potential threats and vulnerabilities
• Applying effective security practices in daily activities
• Promptly reporting any security concerns or incidents

Our vision is for every part of the organisation to identify and address their own security needs through strong collaboration with the Security team and anyone who wants to contribute, strengthening our collective resilience.

Security Guidelines

The IFT defines, compiles and maintains a set of security practices tailored for Web3 environments. Although many of them were shaped for Web2, they remain equally effective when navigating in decentralised ecosystems.

For new contributors, you will find a foundational security checklist below. We strongly recommend reviewing and implementing these measures during your onboarding period, ideally before accessing private or sensitive information.

The full security guidelines can be found here: [Notion] [Github]

We encourage you to define an individual security plan that helps you reach a reasonable and sustainable risk posture according to your role and responsibilities. Feel free to reach out so we can work through it together.

Security is a shared responsibility. Risk can never be fully eliminated, but by building habits that prioritise caution and verification, we can significantly reduce our exposure and protect both yourself and the organisation.

Please share any ideas, questions or concerns you may have. We'll be happy to talk!

Security Awareness Principles

• Threat Recognition: Threats can take many forms, including phishing & social engineering, malware, technical vulnerabilities, insider risks, etc.
• Risk Perception: Evaluate the likelihood of an attack and the potential impact
• Zero Trust: Always verify before trusting
• Establish sources of truth: Identify and rely on reputable sources

Security Onboarding Checklist

Secure your workstation

• Use a dedicated workstation (physical or virtual) for your daily work activities.
• Whether you use Windows, macOS, Linux, iOS or Android, it is always a good idea to start fresh with a clean install.
• Update your operating system to apply security patches, improve performance, and fix vulnerabilities.
• Encrypt your device with tools like BitLocker (Windows), FileVault (macOS), or LUKS (Linux).
• Use a strong password and enable biometric authentication to unlock your device.
• Activate screen lock after a short period of inactivity.
• Enable system's built-in firewall. Consider LuLu for macOS and Portmaster for Windows/Linux.
• Remove unnecessary apps to reduce the attack surface.
• [Optional] Use antivirus software. Some decent and flexible options are ClamAV and AVG

Secure your network

• Use a VPN. Nord, Proton and Mullvad are some good options.
• Change your router password. Default router passwords are publicly available.
• Use WPA2/WPA3 and a strong Wi-Fi password.
• Keep router firmware up-to-date.

Secure your crypto

• Use a hardware wallet like Ledger or Trezor to store your larger amounts of cryptocurrency.
• Use PIN/Biometrics to protect device access and signing requests.
• Store your seed phrase offline in a secure location. Consider using a metal backup solution to protect against fire and water damage.
• Use multiple wallets to limit potential losses in case of compromise.
• Test wallet recovery process to ensure you can restore access if needed.
• Always verify transaction data independently before signing.

Secure your accounts

• Set up a password manager. Bitwarden, NordPass, KeePassXC and 1Password are good alternatives.

  All organisational passwords and secrets are stored in Bitwarden. Please request access if you need to know some of them.

• Enable Two-Factor Authentication. Use a YubiKey or similar device that supports FIDO2/WebAuthn. You can expense it.
• Use passkeys for login - Leverage passkey authentication when supported instead of password + 2FA, especially for critical services and privileged users.
• Sign up for Breach Alerts. Use services like Mozilla Monitor and Have I Been Pwned to monitor if your credentials appear in known data leaks.

Secure your communications

• Use End-to-End Encrypted (E2EE) messaging applications when sharing sensitive or private information. Some tools commonly used by our collaborators, partners, and agencies include Matrix, Signal, and Status.

  The IFT operates a dedicated Matrix homeserver for private internal communications. You can register using your SSO credentials and the official client of your choice. See user onboarding guide with Element Desktop.

• Use Protonmail as your default secure email service for private and confidential threads.
• Use Discord for general and public interest conversations. Never share sensitive information through Discord.
• If you use Telegram for business communications, please refer to and apply the recommendations in this hardening guide.

Protect your privacy

• Use privacy web browsers like Firefox, Brave, LibreWolf, and Tor
• Cover your webcam when not in use and disable microphone access for untrusted applications.
• Disable or limit voice-controlled assisstants.
• Disable or limit usage data and diagnostic feedback sent to cloud services.
• Review application permissions and privacy settings.
• Be careful with what you publish on social media.
• Whether you backup on a hardware device or the cloud, make sure they are encrypted.

Ask for help

Above all else, never be afraid to ask for help, ask questions, or report security concerns, drop by:

• #security for more broad, public questions, or
• Drop an email to [email protected].

Additional resources

Learn more about Security @ IFT at:

• Notion Security homepage
• IFT-TS Security PM
• status-im/status-security
• IFT Bug Bounty Program