ETH Security Badge Scoring Rubric v2.5.1 (First Run)

# ETH Security Badge Scoring Rubric v2.5.1 (Final) ## 1. Overview This rubric is used by TheDAO to evaluate and rank Ethereum security researchers on a 0–100 scale to identify the top Ethereum Security Experts. Version 2.5 expands the 10-pillar structure (4 Big, 6 Small) with detailed criteria, restores the **Exponential Impact Multiplier**, and provides specific **Implementation Notes** for each category to ensure consistent, high-fidelity scoring across the applicant pool. --- ## 2. Core Evaluation Pillars (Total: 100%) ### Big Pillars (17.5% each | 70% Total) #### 1. Public Evidence (17.5%) * **Description:** Verifiable proof of security work including GitHub activity, published audit reports, CVEs, and technical write-ups. Prioritizes high-impact novel attack vectors or landmark research over high-volume minor reports. * **Implementation Notes:** Review the "Recency Adjustment" to ensure activity within the last 24 months is weighted significantly higher. Use the "Output Quality" signal to distinguish between routine auditing and ecosystem-shifting research. #### 2. Depth of Experience (17.5%) * **Description:** Evaluation of the researcher's professional tenure and the technical complexity and stature of the systems they have secured. Focuses on the years in the field and profesional roles held. * **Implementation Notes:** Years in the field serve as a secondary but valuable input. The primary score is derived from the highest tier of complexity and responsibility the applicant has successfully navigated in a lead or solo capacity. #### 3. Ethereum Relevance (17.5%) * **Description:** Measures the specificity of contributions to the Ethereum ecosystem, including EVM, Solidity, L2s, and Core Infrastructure. Reward the depth of focus within ETH. * **Implementation Notes:** Calculate "ETH-focused work as % of total output." A pure ETH specialist should score higher here than a crypto-generalist with equal total output spread across multiple non-EVM chains. #### 4. Verifiable External Recognition (17.5%) * **Description:** Broad recognition from the security community and platforms. Includes rankings on Immunefi/Code4rena, GitHub stars on security tools, conference talks, and active technical presence on Twitter/X or other relevant platforms. * **Implementation Notes:** This pillar balances auditor-centric platform rankings with broader community trust signals. High engagement on technical Twitter threads or significant tool adoption (forks/stars) are key indicators. ### Small Pillars (30% Total) #### 5. Security Education & Knowledge Sharing (7%) * **Description:** Rewards researchers who actively teach, mentor, or produce educational content such as technical threads, courses, workshops, and CTF design. Focuses on pedagogy and long-term ecosystem health. * **Implementation Notes:** Look for evidence of "Downstream Impact"—how many researchers have been trained or influenced by this individual's educational output? #### 6. Tooling & Infrastructure Contributions (7%) * **Description:** Specifically rewards creators and maintainers of security tooling (fuzzers, static analyzers, monitoring systems, block explorers, simulation tooling) and security contributions to wallet infrastructure and security standards (e.g., hardware wallet integrations). * **Implementation Notes:** Prioritize tools with high industry adoption (e.g., Slither, Echidna). For wallets, include all kinds of wallets, smart contract, hardware, browser, etc. #### 7. Incident Response & Crisis Track Record (6%) * **Description:** Documented involvement in live security incidents, authored post-mortems, and demonstrated ability to coordinate under extreme pressure. This is a "skin in the game" metric for real-world crisis management. * **Implementation Notes:** Verify involvement through public post-mortems or private verification from trusted groups like SEAL. High scores require evidence of successful mitigation or recovery. #### 8. Traditional Cyber Security Expertise (5%) * **Description:** Captures non-blockchain cybersecurity expertise in OS security, networking, hardware security, and traditional AppSec. This rewards the "Full Stack" security knowledge that strengthens the Ethereum infrastructure. * **Implementation Notes:** Look for professional backgrounds in traditional firms (e.g., Google Project Zero, NCC Group) or contributions to non-crypto open-source security projects. #### 9. Threat Intelligence & Proactive Research (3%) * **Description:** Identification of emerging threat classes before they are exploited. Includes novel attack vectors, academic papers, and responsible disclosures on unreleased vulnerabilities or zero-day classes. * **Implementation Notes:** This pillar rewards "Frontier Research." A single disclosure of a new class of vulnerability (e.g., a new logic error in L2 sequencers) is the gold standard here. #### 10. Governance & Standards Participation (2%) * **Description:** Involvement in shaping the rules of the ecosystem through EIP authorship, ERC security reviews, and participation in Security Councils (e.g., Arbitrum, Optimism, or MakerDAO). * **Implementation Notes:** Score based on the criticality of the standards influenced. Authorship of a security-focused ERC (like ERC-7251) carries more weight than general governance voting. --- ## 4. Advanced Variables & Bonuses ### A. Exponential Impact Multiplier To separate "Foundational" contributors from the "Established" tier, scores in the **Ecosystem Impact** range (81-100) use an exponential scale. * **Logic:** A score of 20/25 in a big pillar represents standard high-level work, while 25/25 is reserved for "Ecosystem-defining" impact (e.g., saving >$100M TVL or authoring critical security EIPs). ### B. Broad Perspective & Scope Bonus (+3 to +7) Applied to candidates who demonstrate a broad understanding of the Ethereum Security space spanning multiple sectors (e.g., generalist leaders, newsletter authors, or heads of security for major infrastructure). ### C. Niche Organization Bonus (+2 to +5) To incentivize a wide representation of organizations. Candidates from firms underrepresented in the candidate pool, including those with dual-affiliations (e.g., an underrepresented firm + SEAL) receive this bonus to ensure diversity of thought, assuming the firm is noteworthy. ### D. Network Diversity Multiplier (+2 to +5) A sector-based bonus for candidates with high-depth expertise in underrepresented niches like ZKP Security, Formal Verification, and OpSec to prevent so many auditors from participating. ### E. Organizational Soft Cap (7.5%) Once an organization (EF, SEAL, etc) occupies >7.5% of the Top 200 slots, the threshold for new applicants from that firm to enter the Top 200 increases, prioritizing only the most impactful representatives. --- ## 5. Implementation Policies * **Individual-Only:** Team/Company applications are rejected. Evaluation proceeds only if a personal handle or name is provided for individual assessment. * **Hidden Gems:** A +5 point bonus is applied to candidates with high peer trust but low public profiles, identified via knowledge graph centrality and community vouching data.