###### tags: `Red Team & vCISO` ![](https://hackmd.io/_uploads/Sy50YbJ2j.png) # Spearbit vCISO and Security as a Service 🦾 ## About Us ### The Role If your Chief Information Security Officer (CISO) role is vacant or you need a project-based executive expertise then our community of vCISO's is the solution for you. Our vCISO's serve as a technology leader responsible for advising on high-level technical guidance, smart contract best pracitces, architectural review and development/testing framework during your software development lifecycle by directly reporting to the CTO, CEO, and Founders. By embedding this individual or pairing of vCISO's onto your team this allows you to prepare for external reviews, execute on technical development and reduce risk. #### World Class Leaders Spearbit has to date built one of the largest communities of security personel in the blockchain space. The canidates for vCISO have years of auditing experience in web3, solidity expertise, background in web2 front-end development, and have led numerous Spearbit led audits for clients such as OpenSea, Optimism, and Connext to name a few. #### Reduce Risk Our CISO's help you evaluate best practices when it comes to building out and deploying smart contracts. Offering an outside perspective on overall system architecture prior to any external review. #### Terms of Service The vCISO works on an hourly rate to be determined on a by client basis at a maximum of 5 hours per week. This also comes with the agreed upon incentive of equity allocation since this role is pivotal in the foundational layer of your protocols development. The channels of communication include e-mail, telegram, and discord. As we are flexible per the clients needs. ## Client Case Studies 📝 ### Optimism In December of 2022, Optimism, a layer 2 blockchain that uses optimistic rollups to help Ethereum scale, reached out to Spearbit in preperation for their system upgrade to [Optimism Bedrock](https:/https://www.alchemy.com/overviews/optimism-bedrock-testnet-migration-guide/). This upgrade introduced a series of performance improvements from its existing rollup architecture design. For a one week sprint our vCISO's worked alongside Optimism's developer team to critically think through best practices and understand the design architecture to ensure a successful implementation. Here are a few quick examples to highlight this: * Provided technical guidance on smart contract upgrades, emphasizing the importance of only making necessary updates to minimize security risks. * Advised on compiler version selection, emphasizing the need to carefully review release notes and bug fixes to determine the safest option. * Warned about potential risks of user funds loss during smart contract upgrades, suggesting a general precaution of avoiding deposits near the upgrade time. * Suggested avoiding advertising specific risk vectors to minimize user confusion and promote overall security awareness. ![](https://hackmd.io/_uploads/S1AUEbJhj.png) ### Covey In August 2022, Covey, a community of investment analysts, reached out to Spearbit in preperation for their public launch to provide guidance on their smart contracts related to data ledger, tokens, and staking. The developer team at Covey didn't have the expertise in-house to critically think through the implications over their architectural design decisions. For a three month period our vCISO's worked alongside Covey's developer team to critically assess the current state of their smart contracts and ensure a successful launch. Here are a few quick examples to highlight this: * Advised on the token selection for deployment. We suggested the use of ERC-20 tokens rather than ERC-777 for their intial equity token launch. By avoiding using a token type that is less compatible with existing protocols we created an efficency within their intial design. * Provided debugging expertise of an ENS setter issue by safely thinking about variable naming and class member modification. * Reviewed the smart contracts by doing a spot check for any common vulnerabilities. * Provided critical analysis of the staking mechanism development by applying mitigations to address the risk of impermanent loss, high gas fees, and slashing events. ![](https://hackmd.io/_uploads/BJirtZknj.png) ## Questionnaire ❓ Please take a moment to answer the following questions about your organization's cybersecurity needs and objectives. This information will help us match you with the right virtual Chief Information Security Officer (vCISO) for your specific requirements. 1. What are some expectations and responsibilities you would have of the vCISO? This service is meant to be advisory in practice assisting with: technical guidance, best practice, development and testing framework, and architectural review. 2. How long of a time period are you looking to have the vCISO available? We are aiming for 3-6 month engagements with a maximum of 5 hours per week for their consulting services. 3. Please outline for us your current team structure (ie org chart). 4. Help us better understand your roadmap in terms of the period the vCISO is involved. 5. Any specialized expertise you are looking for? Our community has a wide range of web3 and web2 experience.
Last changed by  
Spearbit
520

Read more

D&S: Report style guide

Spearbit uses a markdown based template to collaboratively write the final report for security reviews. This markdown file is then converted to a PDF with minimal additional modifications. Use hackmd.io to collaborate on reports. Example of the markdown file: Brink security review (engagement 2). Example of a rendered pdf. An example issue can be found in Appendix. General suggestions The issue description should be detailed. Ideally, someone who is outside of the project and the security review team should be able to understand the issues, merely by reading the issue description. Sort by highest to lowest severity. For example, a critical bug that steals all the funds should appear before a generic suggestion such as floating pragma.

6/22/2023
Brink Security Review (engagement 2)

Spearbit Spearbit is a decentralized network of expert Web3 security engineers. Together, we help secure the Web3 ecosystem. We offer security reviews and related services to Web3 projects. Our network has experience at every part of the stack, including protocol design, smart contracts, and the Solidity compiler itself. Spearbit brings in untapped security talent: expert freelance auditors want flexibility to work on interesting projects together. Learn more about us at https://spearbit.com. Introduction The Brink protocol is designed for automating conditional orders on EVM compatible chains. For an introduction to the basic mechanics, one can consult the report from Spearbit's first security review of Brink. This follow up specialized review by Spearbit focussed on a unique extension of "EIP-1167: Minimal Proxy Contract". The Brink protocol designed a gas efficient proxy implementation, based on EIP-1167 that also stores the address of the owner in the proxy. Details can be found in the section: "custom proxy code". In short, the address of the owner is appended at the end of the runtime code, and read using a extcodecopy of the relevant bytes in code; let's call this the data section. The focus of the security review was on the following:

5/3/2023
Spearbit Technical Account Manager Job Description

Spearbit is a DAO for web3 security researchers. Web3 projects often have to decide between waiting months for a security review or shipping unaudited code to keep up with the competition. Spearbit fixes this through a freelance marketplace of vetted security researchers who pair on collaborative teams. We’re looking for an Account Manager to assist with our audit marketplace. This person will assist with the matching of qualified security researchers to prospective clients that want to engage with our community. Once the security review begins, the Account Manager will be responsible for ensuring quality service delivery through effective project management. During the security review, the account manager will utilize their high level knowledge of developer security to flag process errors and breakdowns in communication between clients and security researchers. This position isn’t technical in the sense that you won’t be engaging in manual code review, but does require a knowledge of DevSecOps best practices and how to effectively integrate security researchers into the development lifecycle of clients. A background that would prepare you for this role could include having a project management role at a major web3 security auditing firm or a PM role at a major crypto protocol who has worked with security audit firms. Benefits Competitive compensation: $150-200K/yearly salary + equity or $150/hr on contract basis (dependent on your preference, we're fine with this being a contract job or a salaried position) Option of getting paid in digital currency Our Values

3/3/2022
Spearbit Technical Copy Writer Contractor

Spearbit is a DAO for web3 security researchers. Web3 projects often have to decide between waiting months for a security review or shipping unaudited code to keep up with the competition. Spearbit fixes this through a freelance marketplace of vetted security researchers who pair on collaborative teams. Spearbit is growing and needs a talented technical copywriter to help write our audit reports as well as content for our community. This person will work with our security researchers to copy edit and format our audit reports. Benefits Competitive compensation: This is a contract position at $100/hr Option of getting paid in digital currency Our Values

2/22/2022
Read more from Spearbit
Published on HackMD