🔐 Security guidelines

Security is a priority at IFT, and we'd like to thank you in advance for taking steps to secure your devices and online accounts.

Here you'll find helpful links to resources to protect yourself and the organisation from attackers.

In much the same way we've decentralised the organisation and applications, we've done the same for security.

It means the vast majority of the attack surface is you, the people that contribute. Furthermore, the controls and information a security specialist has in terms of making decisions and monitoring how things are run is constrained. It also means education takes a forward step in importance across the organisation, and personal responsibility of quality security practices become paramount. It is up to the people to understand potential threats, take preventative measures, and report any issues they come across to the security team to protect the organisation as a whole. – @petty

Ask for help

Above all else, never be afraid to ask for help, ask questions, or report security concerns. Until we have an official infrastructure for support tickets, drop by:

• #security for more broad, public questions, or
• Drop an email to security@status.im.

All contributors with an onboarding process will have a security touchpoint with the security team during the first month of their onboarding.

Best practices checklists

Review & follow this checklist to make sure you are complying with our best practices.

Fancy giving your security a spring clean? Check out this crypto advent calendar with daily bite-sized security tips.

Phishing attacks are the most common: discord bots, telegram messages, and email, amongst other channels. Take this phishing test to see how savvy you are when it comes to detecting phishing.

Hardware

Check out this list of essential hardware. Core contributors can expense hardware security keys (yubikeys) and should be used for Github, Gsuite, and Bitwarden.

Here's Corey's Status Learn-Up session about hardware wallets and best practices.

Password manager

Our password manager is Bitwarden. All organisational passwords should be kept and shared here. So if you plan to store an IFT related password, or get access to platforms that require username/passwords/2fa, then it should all be shared using Bitwarden.

You can request an invite in #people-ops. By signing up with the organisation, you get the premium features and sign up with any email you like. That way, if you ever leave the IFT, you can take your password manager secrets with you, and you only lose access to IFT related items.

Security team

Learn more about Security @ IFT at:

• Status Security
• status-im/status-security
• status-im/security-internal