🔐 Security guidelines

Security is a priority at IFT, and we'd like to thank you in advance for taking steps to secure your devices and online accounts.

Here you'll find helpful links to resources to protect yourself and the organisation from attackers.

In much the same way we've decentralised the organisation and applications, we've done the same for security.

It means the vast majority of the attack surface is you, the people that contribute. Furthermore, the controls and information a security specialist has in terms of making decisions and monitoring how things are run is constrained. It also means education takes a forward step in importance across the organisation, and personal responsibility of quality security practices become paramount. It is up to the people to understand potential threats, take preventative measures, and report any issues they come across to the security team to protect the organisation as a whole. – @petty

Ask for help

Above all else, never be afraid to ask for help, ask questions, or report security concerns. Until we have an official infrastructure for support tickets, drop by:

• #security for more broad, public questions, or
• Drop an email to [email protected].

All contributors with an onboarding process will have a security touchpoint with the security team during the first month of their onboarding.

Best practices checklists

Review & follow this checklist to make sure you are complying with our best practices.

Fancy giving your security a spring clean? Check out this crypto advent calendar with daily bite-sized security tips.

Phishing attacks are the most common: discord bots, telegram messages, and email, amongst other channels. Take this phishing test to see how savvy you are when it comes to detecting phishing.

Hardware

Here's a list of recommended hardware for protecting accounts, crypto assets, and data:

• Security Keys (e.g., YubiKey, Google Titan, OnlyKey) – Provides phishing-resistant 2FA login, useful against remote attacks and credential leaks.
• Hardware Crypto Wallets (e.g., Ledger, Trezor, Coldcard) – Stores private keys offline.
• Encrypted External Storage (e.g., IronKey) – Secures private key backups and sensitive data with hardware encryption for added protection.
• Privacy-Focused Phone (e.g., GrapheneOS Pixel) – Enhances privacy and security with encrypted communication and minimal data tracking.
• Faraday Bag (e.g., Mission Darkness) – Shields devices from remote hacking and tracking by blocking all wireless signals.

Core contributors can expense hardware security keys (yubikeys) and should be used for Github, Gsuite, and Bitwarden.

Here's Corey's Status Learn-Up session about hardware wallets and best practices.

Password manager

Our password manager is Bitwarden. All organisational passwords should be kept and shared here. So if you plan to store an IFT related password, or get access to platforms that require username/passwords/2fa, then it should all be shared using Bitwarden.

You can request an invite in #people-ops. By signing up with the organisation, you get the premium features and sign up with any email you like. That way, if you ever leave the IFT, you can take your password manager secrets with you, and you only lose access to IFT related items.

Security team

Learn more about Security @ IFT at:

• Status Security
• Notion Security homepage
• status-im/status-security
• status-im/security-internal