In 2022, we performed one of the first ever OpSec audits for a web3 company, pulling from over 7 years of experience securing the most sensitive and high value teams at companies like Apple and Amazon. We built a bespoke audit process from the ground up that covers all of the weak points that code and infra audits don't. Over the past 4 years we've reviewed OpSec for VCs, startups, mature companies, and teams ranging from 5 people to 50 . Including crypto-adjacent orgs with no on-chain presence, and crypto-native orgs with dozens of multi-sigs and hot wallets. We started with ad-hoc reviews tailored to each organization: Meet with the team to ask all the questions we could think of, build a threat model, and write a report highlighting risks and recommending mitigations. But we quickly learned that, while there are unique risks each team faces, much of the topics we covered were shared between orgs. We wrote guides for securing Discord servers, Twitter/X accounts, email servers, and developed both targeted and generalized trainings for whole teams. We also learned that these audits ran most smoothly with some sort of structure in place to define what each meeting should cover, who we needed to talk to in the org, and when we knew we were done. And when we spoke about OpSec to teams they didn't have a solid understanding of what it even meant or what the scope included. We built a very detailed internal process and set of resources outlining all of this. Since then, we've taken that internal playbook and refined it across multiple audits, each with their own unique risks and challenges. But this was something we felt we could not keep to ourselves. Last year, we converted that playbook into a comprehensive set of requirements, guides, and tools - all open source and free for anyone to use. We called it the Web3 OpSec Standard (W3OS). What sets W3OS apart from other OpSec resources is that it aggregates a comprehensive set of guidance into one place; presents everything as actionable checklists; and provides concrete guides for configuring platforms, setting up secure development environments, and training teams to stay secure. This year, we've also started building tools to support these guides and requirements and enable teams to take their OpSec seriously without having to build complex monitoring tools themselves. Auditware has been doing OpSec audits for over 10 years, we wrote the book on web3 OpSec, and we continue to build open source public goods for tackling OpSec issues because we truly believe that our industry cannot thrive without preventing the many, easily preventable security failures we have seen over the years. We highly encourage everyone to put these resources to good use and tighten up your OpSec before you have an incident! The best way to get started with this is making an account on our free OpSec collaboration platform platform, Sentry, which allows you to navigate W3OS requirements and guides with ease, track tasks across your team, and set up monitoring tools: sentry.auditware.io/

Thanks to everyone who came out for the Auditware × @ProtocolLabs OpSec workshop in NYC yesterday 🫂 If you attended or want to dig into these topics: Workshop Slides: canva.link/eo2u3yczkv20blz Free 1-hr OpSec Training (tailored to your team): calendly.com/joe-auditware/o… Full OpSec Audit to go deeper on your security posture: auditware.io/audits/opsec Questions? Reply or DM us 💜

7/ AuditWare (@audit_wizard) OpSec Workshop (June 9) A hands-on workshop covering practical security practices, incident response, key management, and organizational OpSec. luma.com/cg5bv83p

Our open-source contribution skill-warden immediately flagged some of the @trailofbits malicious skills before any AI got the chance to read them. Great awareness exercise, keep your AI agents safe! github.com/W3OSC/skill-warde…

🚨W3OSC/skills is now open, a repo of AI skills built specifically for Web3 operational security. We built these for the problems security teams and auditors run into constantly: → Endpoint threat hunting → Org security mapping → Supply chain defense → Multisig hardening More coming soon 👀 All in one place just drop it into your AI agent and get the right guidance when you need it. Web3 security teams and auditors, which skill are you adding first? Or submit your own and see if it passes the automated checks for malicious patterns! github.com/W3OSC/skills

skill-warden integrates directly into your CI pipeline and sends the scan results into Sentry. It automatically checks every push and every pull request. If it finds a hard violation, it blocks the merge. All the results then appear in Sentry’s unified security dashboard alongside your other tools, using SARIF. Together they give you strong end-to-end coverage: skill-warden catches risky AI skills and prompt injections in CI, while Sentry keeps watching your GitHub activity, endpoints, identities, DNS integrity, and breach exposure. sentry.auditware.io/

Hey Protocol Labs founders and builders 👋 We're hosting a hands-on OpSec workshop exclusively for @ProtocolLabs portfolio founders and developers in New York City. 🗓️ Tuesday, June 9 · 10:00 – 11:00 AM 📍OASIS by Workville, NYC We'll be covering practical security practices for teams building in Web3: → Key management & storage → Device security → Wallet & multisig handling → Incident response fundamentals → Auth & security policies Led by our CEO, @joe_vanloon Want a head start or can't make it in person? Check out the training materials here: auditware.io/opsec-training Grab your spot below 👇 luma.com/cg5bv83p See you there!

An attacker may not directly target you, and instead they can register a batch of package names, create some empty GitHub repos to look credible, and wait for someone to make a typo in an install command. Supply chain attacks at scale are not very precise. It's a numbers game that employs enough fake packages and a real looking repo. The TrapDoor campaign pushed 34 malicious packages and 384 versions across npm, PyPI, and Crates.io with many targeting DeFi devs on Solana, Aptos, and Sui. Depenemy spots the pattern: repos with almost no history and publishers who released multiple packages in the same 48-hour window. github.com/W3OSC/depenemy

If you are shipping a skill, one command is all it takes to verify it is clean. skill-warden scan ./your-skill/ It checks for prompt injection, jailbreaks, token smuggling, secret grabbing, and obfuscation. You can also add the GitHub Action and get a badge that goes red the moment a hard violation is detected. Your users will know your skill passed before they install it ✅🦸‍♂️ github.com/W3OSC/skill-warde…

🚨You probably have `^` in half your dependencies. In your dev tools that is fine. In your actual production dependencies it means someone can push a malicious update and your next `npm install` pulls it in automatically with no warning. The axios supply chain attack worked exactly this way. depenemy flags loose version specifiers in production dependencies and leaves your dev tooling alone, because the risk is not the same in both places! 🗣️ github.com/W3OSC/depenemy

Things in web3 move fast enough that stepping away may mean starting over. Operational security is not the same 🫨 The basics that protect your team, your keys, and your infrastructure are not being replaced by something new. If you're curious where to start 👇 github.com/W3OSC/web3-opsec-…

We're sharing our ShieldFlow audit report. 👇 One curl request to a public endpoint returned live auth tokens, encryption keys, and internal infrastructure secrets. This was not a smart contract bug. It was a web2 misconfiguration. The gap most audits miss is that Web3 protocols run on Web2 infra. Auditing the full stack is the only way to know what you are actually exposed to. 🕵️‍♂️ 10 critical and high severity findings which they fixed in record time! github.com/Auditware/audits/…

For all the auditors getting scared by this contests market shift - let me walk you through bugonomics history 🐛🪨⏬ 1⃣9⃣9⃣5⃣ Netscape (old browser) paid researchers for bugs which was radical at the time 2⃣0⃣1⃣2⃣ @Hacker0x01 and @Bugcrowd dominated the bounty space and no notion of contests they had private invite-only events which is close, but a contest model didn't fit large web2 companies e.g. Uber Airbnb etc - don't want 500 hackers hammering their servers at a single week 2⃣0⃣2⃣1⃣ @code4rena realized that contests are of different nature: - Smart contracts store loads of money directly, and get hacked like crazy - Smart contracts are "immutable" - once deployed must find bugs before launch - Open source means auditor can fully understand logic, not just probe blindly - More auditor attention, better results For protocols - contests costs more than bounty Let's think like a protocol for a second 🤔 contest = coverage, more eyes, pre-launch safety net - Pay $200k pool upfront - Runs 1-4 weeks - Payout regardless of findings quality (money still gone) bounty = sparse coverage, reactive not proactive - Pay $0 until valid bug reported - Only pay on confirmed severity - Treasury preserved until hit in bull markets - protocols don't want to get hacked, they spend what they can (contests bounty after) in bear markets - same, but now protocols have no funds - bounty is cheaper 2⃣0⃣2⃣5⃣ bear market gets worse, AI spamming submissions left and right making triaging costs increase exponentially 2⃣0⃣2⃣6⃣ even worse - still bear market, MORE (way more) AI and there are less new protocols on top of it all That's why today we are back to web2-style bounties. The protocols that make real money, real impact. In 2015 people made a living of web2 bounties, this ain't different @immunefi @HackenProof @xyz_remedy all are live and kicking, and there's money on the table for you to take, harder than before, true - but since when hard stopped us?

We're very sad to hear this news. C4 were the first innovators that really paved the way for solving the unique challenges of web3 in a way that the industry really needed. Thanks for all of the years of keeping projects secure and launching security researchers' careers 🫡

Huge thanks to @Giveth for having us in the Ethereum Security QF Final Project Showcase 🛡️ Today is the LAST DAY to donate and every donation is matched! The projects in this round are building the security layer Ethereum runs on, and W3OS is one of them, bringing free practical and accessible OpSec tooling to web3 teams that need it. If you believe in a safer web3, now's the time to act 👇 W3OS: giveth.io/project/the-web3-o… Full round: qf.giveth.io/qf/ethereum-sec…