Who Has Security?

What counts as having security?

Having an internal security person. This person can be a protocol security engineer, a CISO, or another security role. The definition is not strict. Our goal is to promote having internal security, not to evaluate companies.

Is this list really accurate?

No. We are not doing a strict evaluation, and we aim simply to promote having internal security. Companies listed here might still have bad practices, but at least they demonstrated interest in internal security.

Interested in actual best practices? Check out the SEAL framework.

My company is too small for a dedicated security person. What should I do?

That's okay. You can join the list once you grow. In the meantime, make sure security is explicitly owned by someone. A security-minded cofounder who's paranoid enough can be a good choice.

How do I find a security engineer?

It's hard. The security community lives in its own ecosystem, and while there is a lot of talent, you might struggle to get the right visibility. Look at specialized places like Rare Talent or Cyfrin Jobs. Promote your role at the DeFi Security Summit or in the BlockThreat newsletter.

Note: we are not affiliated with any of these links, but we think they are great.

Why does this matter?

Most protocols spend a lot of money on external code reviews, audit contests, and bug bounties, but miss the opportunity to build an internal team and really own their security. Security is not something you can fully outsource, and we want to promote better practices in the space.

How do I add my protocol to the list?

Open a PR or an issue on GitHub with the relevant information to verify you have a security person (e.g. their LinkedIn or Twitter). If you prefer not to share public proof, reach out to @montyly on X or Telegram with reasonable proof.