🔐 Security at IFT

Security is a priority at IFT, and we'd like to thank you in advance for taking steps to secure your devices and online accounts. A strong security culture helps protect both individuals and the organization from threats.

In this page you'll find helpful links to resources to protect yourself and the organisation from attackers.

In much the same way we've decentralised the organisation and applications, we've done the same for security.

It means the vast majority of the attack surface is you, the people that contribute. Furthermore, the controls and information a security specialist has in terms of making decisions and monitoring how things are run is constrained. It also means education takes a forward step in importance across the organisation, and personal responsibility of quality security practices become paramount. It is up to the people to understand potential threats, take preventative measures, and report any issues they come across to the security team to protect the organisation as a whole. – @petty

Contributor Responsibilities and Expectations Regarding Security

At IFT, security is decentralized, making individual responsibility vital. Every team member plays a key role in safeguarding security by:

• Recognizing potential threats and vulnerabilities.
• Following security best practices in daily operations.
• Promptly reporting any security concerns or incidents.

Security checklist

During your onboarding, please ensure you follow these steps:

1. Use a Secure Work Setup – Ideally, you should use a dedicated workstation (physical or virtual) for your daily operations at IFT.
2. Enable Multi-Factor Authentication (MFA) – Enable MFA on all your accounts and, where supported, use a security key. Core contributors can expense hardware security keys (e.g., YubiKeys) and should use them for critical accounts such as GitHub, GSuite, Bitwarden, and any other supported services.
3. Set Up a Password Manager – Use Bitwarden to securely store and share credentials. All organizational passwords should be kept in Bitwarden. If you need to store an IFT-related password or access platforms requiring a username, password, or 2FA, they must be shared securely via Bitwarden.
4. Take a Phishing Awareness Test – Test your ability to detect phishing attempts by completing this phishing quiz.
5. Run a Security Check on Your Personal Email Accounts – Visit this site for a quick security audit—you might be surprised by the results.

For additional details on how to secure your accounts and devices refer your our detailed checklist.

Hardware

Here's a list of recommended hardware for protecting accounts, crypto assets, and data:

• Security Keys (e.g., YubiKey, Google Titan, OnlyKey) – Provides phishing-resistant 2FA login, useful against remote attacks and credential leaks.
• Hardware Wallets (e.g., Ledger, Trezor, Grid+, Keystone) – Stores private keys offline.
• Encrypted External Storage (e.g., IronKey) – Secures private key backups and sensitive data with hardware encryption for added protection.
• Privacy-Focused Phone (e.g., GrapheneOS Pixel) – Enhances privacy and security with encrypted communication and minimal data tracking.
• Faraday Bag (e.g., Mission Darkness) – Shields devices from remote hacking and tracking by blocking all wireless signals.

Here's Corey's Status Learn-Up session about hardware wallets and best practices.

Ask for help

Above all else, never be afraid to ask for help, ask questions, or report security concerns, drop by:

• #security for more broad, public questions, or
• Drop an email to [email protected].

Additional resources

Learn more about Security @ IFT at:

• Notion Security homepage
• VAC Security PM
• status-im/status-security
• IFT Bug Bounty Program