🔐 (Decentralised) Security

In much the same way we've decentralised the organisation and applications, we've done the same for security. – @petty

Decentralisation redistributes power - but it also redistributes risk. As people gain direct control over their digital rights and assets, yeah, you effectively become the primary attack surface in cyberspace.

We believe in the sovereignty of individuals. As such, we don't enforce or encourage intrusive policies, we don't actively monitor your online activity, and we don't remotely control your devices.

Our goal is to empower ourselves to collectively protect the organisation by:

• Recognising and understanding potential threats and vulnerabilities
• Applying effective security practices in daily activities
• Promptly reporting any security concerns or incidents

Our vision is for every part of the organisation to identify and address their own security needs through strong collaboration with the Security team and anyone who wants to contribute, strengthening our collective resilience.

Security Guidelines

The IFT defines, compiles and maintains a set of security practices tailored for Web3 environments. Although many of them were shaped for Web2, they remain equally effective when navigating in decentralised ecosystems.

For new contributors, you will find a foundational security checklist below. We strongly recommend reviewing and implementing these measures during your onboarding period, ideally before accessing private or sensitive information.

The full security guidelines can be found here: [Notion] [Github]

You can also check out these tools and resources that our guides are strongly aligned with:
[Digital Defense] [Digibastion] [Security Alliance]

We encourage you to define an individual security plan that helps you reach a reasonable and sustainable risk posture according to your role and responsibilities. Feel free to reach out so we can work through it together.

Security is a shared responsibility. Risk can never be fully eliminated, but by building habits that prioritise caution and verification, we can significantly reduce our exposure and protect both yourself and the organisation.

Please share any ideas, questions or concerns you may have. We're happy to discuss!

Security Awareness Principles

• Threat Recognition: Threats can take many forms, including phishing & social engineering, malware, insider risks, etc.
• Risk Perception: Evaluate the likelihood of an attack and the potential impact.
• Zero Trust: Always verify before trusting.
• Establish sources of truth: Identify, establish and rely on reputable sources.

Security Onboarding Checklist

A fair reminder — we are only HUMAN!

And as such, we're naturally susceptible to being deceived or making mistakes and, to this day, it remains very much effective for threat actors in the Cyberspace. Check out this data: [SpaceLift] [SecureFrame] [Zensec]

By questioning unusual requests, pausing before acting, and leveraging peer support, you transform security from a set of rules into an intuitive approach to daily interactions.

• Always verify the legitimacy of any request for sensitive information through a separate communication channel.

  Develop a habit of “double-checking” any request for personal or financial information.

• Limit the amount of personal and professional information available publicly on social platforms.
• Never click links in unsolicited emails or messages.
• Never enter your wallet credentials, seed phrase, or private keys on any page reached via a link.
• Never open attachments from unknown or unexpected senders.
• Keep different areas of digital activity separate to limit data exposure in case of a breach.
• Never reply to suspicious messages, even to unsubscribe.
• Aim for privacy. See some practices below.
• Check out some tools that can help you better understand and protect yourself against Web3 phishing attacks. [The Phishing Dojo] [Unphishable]

Secure your workstation

• Use a dedicated workstation (physical or virtual) for your daily work activities.
• Whether you use Windows, macOS, Linux, iOS or Android, it is always a good idea to start fresh with a clean install.
• Update your operating system to apply security patches, improve performance, and fix vulnerabilities.
• Encrypt your device with tools like BitLocker (Windows), FileVault (macOS), or LUKS (Linux).
• Use a strong password and enable biometric authentication to unlock your device.
• Activate screen lock after a short period of inactivity.
• Enable system's built-in firewall. Consider LuLu for macOS and Portmaster for Windows/Linux.
• Remove unnecessary apps to reduce the attack surface.
• Use antivirus software. Some decent options are ClamAV and AVG [Optional]

Secure your crypto

• Use a hardware wallet like Ledger or Trezor to store your larger amounts of cryptocurrency.
• Store your seed phrase offline in a secure location. Consider using a metal backup solution to protect against fire and water damage.
• Use PIN/Biometrics to protect device access and signing requests.
• Use multiple wallets to limit potential losses in case of compromise.
• Test wallet recovery process to ensure you can restore access if needed.
• Always verify transaction data independently before signing.

Secure your network

• Use a VPN. Nord, Nym and Mullvad are some good options.
• Change your router password. Default router passwords are publicly available.
• Use WPA2/WPA3 and a strong Wi-Fi password.
• Keep router firmware up-to-date.

Secure your accounts

• Set up a password manager. Bitwarden, NordPass and KeePassXC are good alternatives.

  Most of the organisational passwords and secrets are stored in Bitwarden. Please request access if you need to know some of them.

• Enable Two-Factor Authentication. Use a YubiKey or similar device that supports FIDO2/WebAuthn. You can expense it.
• Leverage passkey authentication when supported instead of password + 2FA, especially for critical services and privileged users.
• Sign up for Breach Alerts. Use services like Mozilla Monitor and Have I Been Pwned to monitor if your credentials appear in known data leaks.

Secure your communications

• Use End-to-End Encrypted (E2EE) messaging applications when sharing sensitive or private information. Some tools commonly used by our collaborators, partners, and agencies include Matrix, Signal and Status.

  The IFT operates a dedicated Matrix homeserver for private internal communications. You can register using your SSO credentials and the official client of your choice. See the user onboarding guide with Element Desktop client.

• Use Protonmail as your default secure email service for private and confidential threads.
• Use Discord for general and public interest conversations. Never share sensitive information through Discord.
• If you need to use Telegram for business communications, please refer to and apply the recommendations in this hardening guide.

Protect your privacy

• Use privacy web browsers like Firefox, Brave, LibreWolf and Tor
• Cover your webcam when not in use and disable microphone access for untrusted applications.
• Disable or limit voice-controlled assisstants.
• Disable or limit usage data and diagnostic feedback sent to cloud services.
• Review application permissions and privacy settings.
• Be careful with what you publish on social media.
• Whether you backup on a hardware device or the cloud, make sure they are encrypted.

Ask for help

Above all else, never be afraid to ask for help, ask questions, or report security concerns, drop by:

• #security for more broad, public questions, or
• Drop an email to [email protected].

Additional resources

Learn more about Security @ IFT at:

• Notion Security homepage
• Security Guidelines
• IFT-TS Security PM
• IFT Bug Bounty Program