This is a work in progress and not a release. We're looking for volunteers. See Issues to know how to collaborate.

Vendor Selection

tag: [Security Specialist, Operations & Strategy]

There are a lot of security vendors in the web3 ecosystem, and also in the web2 ecosystem. Depending on what you want to have reviewed, for example a Solidity contract, it may be relevant to use a security vendor that focus on web3, while if for example you're reviewing your infrastructure it may be more relevant to choose a vendor that focus on web2.

  1. Make sure you evaluate potential vendors based on their track record, reputation, and experience in what you want to test.
  2. Look for vendors with a proven history of addressing security challenges similar to your project’s needs.
  3. Ensure the vendor has relevant experience in web3 security vulnerabilities, as these require specialized skills.
  4. For example, if you’re building an L2, it may be beneficial to choose a vendor with a track record of reviewing L2s.
  5. It could prove valuable to start with a crowd-sourced assessment which is likely to catch a lot of low hanging fruit, then move to a dedicated security vendor that will dig down into the code to potentially find remaining issues.