# Cybersecurity Internship Opportunities in Web3 Program: https://www.heinz.cmu.edu/programs/itlab/ Duration: 6 weeks Field: Open source cybersecurity initiatives in web3 Final presentation: Early August ## About Us The [Security Alliance](https://securityalliance.org/) is an open source initiative in the web3 space to improve the security landscape of web3 through a series of projects to provide educational content, training, incident response, and legal resources to companies and individual contributors in the ecosystem. - **Seal 911** - A free 24/7 emergency hotline for help with incident response, vulnerability disclosure, or any other security problem - **Seal Wargames** - Free red team exercises to help prepare teams prepare for the next war room - **Whitehat Safeharbor Agreement** - Legal protection and incentives for whitehats to rescue funds under active exploit - **SEAL ISAC** - A nonprofit organization providing a central resource for gathering information on cyber and related threats to the blockchain and cryptocurrency ecosystem. [Shield3](https://www.shield3.com/) leads various initiatives for the Security Alliance including SEAL Wargames which help teams prepare to detect and respond to security incidents through customized exercises related to their platform. SEAL has conducted wargames with many of the top projects in web3 including: - [Compound Finance](https://compound.finance/) - [Aave](https://aave.com/) - [Yearn](https://yearn.fi/) - [Base (Coinbase)](https://www.base.org/) - [Optimism](https://optimism.io/) - [Uniswap](https://uniswap.org/) The Security Alliance and Shield3 have opportunities for interns to contribute to these projects and gain insight into practical applications of their cybersecurity educations. ## Opportunities ### Develop Open Source Tooling for Wargames SEAL is developing a template for running Wargames (incident response drills) to help more teams run these exercises. The template contains scripts & resources for: - Planning scenarios - Testing & validating potential incidents - Creating bot accounts to operate on the network - Operating network forks to create simulated environments - Setting up monitoring & alerting tools - Writing exploit scripts to trigger incidents Template Repo: https://github.com/security-alliance/drill-template **How you can help** - Perform open source intelligence gathering & scenario design for upcoming drills - Improve development guides & tutorials for running drills **Relevant Experience** - No specific experience needed besides an interest in cybersecurity & how it applies to the web3 space - Experience with Python, Javascript, Solidity, Devops is a plus ### Contribute to Registry of Smart Contract Security Vulnerabilities SEAL is working to update and revamp the [Smart Contract Weakness Classification (SWC) Registry](https://swcregistry.io/) that is currently in a dormant state. The SWC Registry is an implementation of the weakness classification scheme proposed in [EIP-1470](https://eips.ethereum.org/EIPS/eip-1470). It is loosely aligned to the terminologies and structure used in the [Common Weakness Enumeration (CWE)](https://cwe.mitre.org/) while overlaying a wide range of weakness variants that are specific to smart contracts. The goals of this project are as follows: * Provide a straightforward way to classify security issues in smart contract systems. * Define a common language for describing security issues in smart contract systems' architecture, design, or code. * Serve as a way to train and increase performance for smart contract security analysis tools. **How you can help** - Draft new SWC entries based on smart contract vulnerabilities reported since 2020. A list of new reported vulnerabilities will be provided by SEAL security researchers who can also assist by reviewing new entries. - Review existing entries and ensure they are still relevant in the 2024 smart contract security landscape - Update code examples in the existing entries to reflect the latest developmenty practices such as new versions of Solidity prgrama - Recommend & develop improvements to the [SWC Registry repository](https://github.com/SmartContractSecurity/SWC-registry) and website **Relevant Experience** * Interest in cybersecurity & how it applies to the web3 space * Basic knowledge of Markdown and making GitHub contributions through Pull Requests * An ability to learn, understand and draft vulnerability reports in an [CWE format](https://cwe.mitre.org/) * Experience with Solidity and Ethereum smart contracts is a plus ### Contribute to the Contextooor Library Shield3 leverages [the contextooor library](https://github.com/0xShield3/contextooor/tree/main) to gather context relating to transactions ready to be broadcasted. Hacks come in all shapes and sizes, and if we can account for a specific attack pattern moments before broadcasting a transaction, we stand a chance at preventing damages. **How you can help** - Research web3 attacks - Document the underlying patterns that can be relevant in detecting a security incident - Build a python module for detecting this attack type, using a the transaction data as an input **Relevant Experience** - Familiarity with EVM JSON-RPC methods, Etherscan, Cryo, Polars (Pandas), Python, Rust and any other tools for data analysis is a plus - Experience in the common EVM data types and structures - Rudimentary knowledge of how the Ethereum blockchain works, this is the perfect experience to learn more about it