[DEPRECATED] Promotion process, roles and responsibilities

[misirov]

About the Spearbit Promotion Process, roles and responsibilities.

The goal of this document is to outline Spearbit’s promotion process, define roles and responsibilities, and guide transparency.

• Introduction
• About Promotions
• Spearbit Roles
  • Junior Security Researcher (JSR)
  • Associate Security Researcher (ASR)
  • Security Researcher (SR)
  • Lead Security Researcher (LSR)
• Promotion Flow
  • JSR to ASR
  • ASR to SR
  • SR to LSR
• FAQs

Introduction

Note:

• 'Auditors' and 'Security Researchers' will be used interchangeably.
• 'Audit' and 'engagement' will be used interchangeably.

For Spearbit’s community of security researchers and the general web3 security ecosystem to thrive, it is key to acknowledge and support auditors’ growth during their professional career. Therefore, it is our responsibility that we clearly document and clarify the promotion process flow in an effort to encourage auditors career pursuits in alignment with what we consider to be the required skill set for each step of their professional development according to Spearbit’s role design.

The onboarding process must change in order to accomodate for the requirements found under each described role. The onboarding process must test each applicant's knowledge on a variety of blockchain related fields to fit a role.

The readers of this document are encouraged to leave feedback and suggestions.

About Promotions

It is not obvious how a fair and transparent promotion process must work within a security DAO when the risk of promoting someone without the adequate skill can result in harm being done to third parties in the industry and therefore, Spearbits' reputation.

Instead of driving and micromanaging each step the applicant is subject to, the core team should have minimum involvement.

It is therefore the intention to design a fair and quasi-automated process which satisfies applicant demands yet still complies with Spearbits' quality control mechanisms and expectations.

When companies and projects are hiring for developers, security consultants and security engineers (i.e. auditors) they take into consideration the credentials of these individuals and teams of experts. In regards to Spearbit, these credentials preceded our reputation, and allow for the opportunity of working with top tier projects to assist in improving their security posture.

For this reason, Spearbit cannot take an internal promotion process lightly knowing that such credentials carry reputational weight and will be accepted across the web3 industry as the new standard.

The fairest way to approach promotions is by making it as easy as possible for others to evaluate someone else's skill set and expertise.

Spearbit Roles

Auditors in the Spearbit community have a wide range of experience and skill sets. Roles are applied based on an individual’s verifiable track record, this includes both technical and soft skills. These are mostly evaluated during the cultural and technical interview process while complementary data is collected from each engagement performance, social media profiles, references, contributions to the space, etc.

Auditors engaging in Spearbit audits are compensated according to their role within the community. Currently, the following formalized roles that exist are Junior Security Researcher (JSR), Associate Security Researcher (ASR), Security Researcher (SR) and Lead Security Researcher (LSR).

It must be noted that a standardized, industry wide definition for each one of the abovementioned roles does not exist yet, and it is purely based on resume. Therefore, one of the secondary objectives of this document is to define and measure each one of the roles to standardize them.

We proceed to define and describe each role as follows.

Junior Security Researcher

Junior personnel with less than one year of web3 security experience and IT background. Must be guided by SR's and LSR's.

• Salary: 3K USDC per week.
• Small InfoSec background, technical knowledge required (junior sysadmin level).

Technical skills and ideal knowledge to have:

• Confident reading and writing Solidity code.
• Confident with how the Ethereum network works.
  • POW, POS.
  • Block construction.
  • TX propagation and mempool.
  • Nodes and clients.
  • Familiar with other EVM blockchains.
• Confident using Etherscan.
• Confident using GitHub.
• Confident using IDEs (Remix, HardHat, Foundry, Brownie, etc..).
• Confident with blockchain security concepts and common vulnerabilities.
• Confident with most common ERCs and proxy patterns.
• Confident with common DeFi mechanics (AMMs, lending, collateral, staking, etc..) and DeFi protocols (i.e., uniswap, compound, bancor, olympus,etc..)
• Familiar programming back end and front end applications with web3 or ethersJS.
• Familiar with ethereum clients and how they work.
• Familiar with basic EVM concepts and compilers.
  • High level understanding of CALL and STATE.
  • Difference between solidity > and < 0.8.0 versions.
  • Gas optimizations.
• Familiar with basic token economics.
• Completed Ethernaut, DamnVulnerableDeFi or any other blockchain CTF.
• Completed SECUREUMs bootcamp and participated on a RACE finding multiple issues.
• Can write Proof of Concepts for his own findings.
• Can write recommendations to fix security issues following best practices.
• Can write reports out of findings.
• Can document a protocol's architecture.

Soft Skills

Soft Skills
Can communicate his/her point clearly, both written and verbally.
Can communicate professionally with the client.
Can take initiative and be proactive.
Can work in a team, assist SR's and LSR's during an engagement.
Familiar with Blockchain history and culture. (e.g., BTC & ETH whitepapers, hacks, twitter marketing ops, psyops, celebrities and rugpulls...)

Responsibilities

Responsibilities
Going through issues when presenting to the client.
Identifying issues during the engagement.
Verifying issues are properly formatted according to the standard.
Generating reports.
Writing about the protocol's architecture.
Making questions and learning.

---

Associate Security Researcher

Junior to mid tier personnel with more experience than a regular Junior Security Researcher.

• Salary: 6.25K USDC per week.
• Less than a year in blockchain security.
• Web3 engineering or InfoSec background.
• Technical skills (previous tech job experiences).

Technical skills and ideal knowledge to have:

Builds on top of the Junior Security Researcher's mentioned above with deeper knowledge of each topic.

Soft Skills

Soft Skills
Can communicate his/her point clearly, both written and verbally.
Can communicate professionally with the client.
Can take initiative and be proactive.
Can work in a team, assist SR's and LSR's during an engagement.
Familiar with Blockchain history and culture. (e.g., BTC & ETH whitepapers, hacks, twitter marketing ops, psyops, celebrities and rugpulls...)

Responsibilities

Responsibilities
Going through issues when presenting to the client.
Identifying issues during the engagement.
Verifying issues are properly formatted according to the standard.
Generating reports.
Writing about the protocol's architecture.
Asking questions and learning.
Reviewing client fixes.

---

Security Researcher

Professional personnel with more than one year of experience in web3 security and InfoSec or Software Engineering background. Must not be guided.

• Salary: 12.5K USDC per week.
• Web3 engineering or InfoSec background, technical knowledge required (medium sysadmin and smart contract developer level).

Technical skills and ideal knowledge to have

• Proficient reading and writing Solidity code.
• Proficient using GitHub, analyzing code bases and searching for vulnerabilities in open sourced repositories.
• Confident programming back end and front end applications with web3, ethersJS or other SDK.
• Confident with Web2 security attacks: node DDOS, server exploitation, phishing, Nation State hacking campaigns, etc..
• Confident conducting on-chain investigations using alternative tools (beyond etherscan).
• Confident with MEV practices: PGAS, front running, arbitrages, liquidations, sandwiching, liquidity sniping, tx censoring, bots...
• Confident using IDEs (Remix, HardHat, Foundry, Brownie, etc..).
• Confident writing tests and using tools (Foundry tests, fuzzing campaigns, formal verification,etc..).
• Confident writing and reproducing web3 exploits.
• Confident with blockchain security concepts, common vulnerabilities and edge cases.
• Confident with common ERCs and their use across the ecosystem, proxy patterns, reading EIPs and specifications.
• Confident with common DeFi mechanics (AMMs, lending, collateral, staking, etc..), DeFi protocols (i.e., uniswap, compound, bancor, olympus,etc..), NFTs, and identifying forks / reused code.
• Confident with developer tooling.
• Confident with system monitoring (Tenderly, Forta, OZ defender, etc.. ).
• Familiar with ethereum clients and how they work.
• Familiar with advanced EVM concepts and compilers.
  • Yul.
  • Understanding of the ethereum yellow paper.
  • CREATE2, deterministic deployments.
  • Reverse Engineering, smart contract decompilation and debugging.
  • Solc and optimizers.
  • Initialization and Runtime Code.
  • Stack manipulation and memory management.
  • Basic opcodes: CALL, STATICALL, DELEGATECALL, REVERT, etc..
  • Gas optimizations.
  • Handle assembly{} blocks.
• Confident understanding protocols token economic design.
• Completed Ethernaut, DamnVulnerableDeFi or any other blockchain CTF.
• Completed SECUREUMs bootcamp and participated on a RACE finding multiple issues.
• Can write Proof of Concepts for his own findings.
• Can write recommendations to fix security issues following best practices.
• Can write reports out of findings.
• Can review bugs and client fixes.
• Can document a protocol's architecture.

Soft Skills

Soft Skills
Can communicate his/her point clearly, both written and verbally.
Can communicate professionally with the client.
Can take initiative and be proactive.
Can work in a team, guide Junior Security Researchers and follow LSR's lead during an engagement.
Can conduct research, gather information and present conclusions.
Familiar with Blockchain history and culture. (e.g., BTC & ETH whitepapers, hacks, twitter marketing ops, psyops, celebrities and rugpulls...)
Confident with offensive and defensive security methodologies.

Responsibilities

Responsibilities
Guiding and following LSR's lead.
Going through issues when presenting to the client.
Identifying issues during the engagement.
Ensuring issues are properly formatted according to the standard.
Reviewing client fixes.

---

Lead Security Researcher:

Senior personnel with more than four years of experience in web3 security, InfoSec, IT and / or solid web3 background. Guides others.

• Salary: 20K USDC per week.
• Extensive experience reading/writing code to spot unusual patterns and estimating risk (probability/impact).

Technical skills and ideal knowledge to have

• Proficient reading and writing Solidity code.
• Proficient using GitHub, analyzing code bases and searching for vulnerabilities in open sourced repositories.
• Proficient writing tests and using tools (Foundry tests, fuzzing campaigns, formal verification,etc..).
• Proficient understanding protocols token economic design.
• Proficient writing and reproducing web3 exploits.
• Proficient with blockchain security concepts, common vulnerabilities and edge cases.
• Proficient with common ERCs and their use across the ecosystem, proxy patterns, reading EIPs and specifications.
• Proficient with common and custom DeFi mechanics (AMMs, lending, collateral, staking, etc..), DeFi protocols (i.e., uniswap, compound, bancor, olympus,etc..), NFTs, and identifying forks / reused code.
• Proficient conducting on-chain investigations using alternative tools (beyond etherscan).
• Proficient with MEV practices: PGAS, front running, arbitrages, liquidations, sandwiching, liquidity sniping, tx censoring, bots...
• Confident with basic computer science algorithms.
• Confident programming back end and front end applications with web3, ethersJS or other SDK.
• Confident with Web2 security attacks: node DDOS, server exploitation, phishing, Nation State hacking campaigns, etc..
• Confident with developer tooling.
• Confident with system monitoring (Tenderly, Forta, OZ defender, etc.. ).
• Confident with ethereum clients and how they work.
• Confident with advanced EVM concepts and compilers.
  • Can handle all assembly{} blocks without major misses.
  • Aware of construction gas costs.
• Can write Proof of Concepts for his own and other's findings.
• Can write recommendations to fix security issues following best practices.
• Can review bugs and client fixes.
• Can document a protocol's architecture.
• Aware of standards and best practices to compare and recommend.

Soft Skills

Soft Skills
Can communicate in english at business proficiency level.
Can communicate his/her point clearly, both written and verbally.
Can communicate professionally with the client.
Can communicate complex issues in a simple way.
Can take initiative and be proactive.
Can perform managerial tasks, coach Junior Security Researchers and SR during an engagement.
Can conduct research, gather information and present conclusions.
Confident with Blockchain history and culture. (e.g., BTC & ETH whitepapers, hacks, twitter marketing ops, psyops, celebrities and rugpulls...)
Confident with offensive and defensive security methodologies.
Can answer team and client questions.
Can identify threat vectors and weak spots.
Up to date with industry news and developments.
Up to date with new exploits and vulnerabilities.
Time management and making sure the engagement progresses according to the timeline.
Does not take anything for granted.

Responsibilities

Responsibilities
Guiding Junior Security Researchers and SR's.
Going through issues when presenting to the client.
Identifying issues during the engagement.
Reviewing client fixes.
Assuring audit quality.
Assessing major risks and recommending solutions.
Assessing engagements costs, effort, scope, depth and time.
Making sure issues are written in time.

---

Promotion Flow

The above diagram shows the promotion process from a high level perspective including several components which are described down below:

Spearbit auditors portfolio. The best way to evaluate auditors expertise is by having them craft their own web3 security portfolio.

Applicants can maintain and submit a free format portfolio with content that should include:

1. A summary of all Spearbit audits you have been on, including all issues you have found during the audit, your assessment of the quality of the audit and the risks of the protocol, and the names of the auditors (APR's, SR's & LSRs) that were on the audit.
2. A summary (and detail when possible) of all Security work you have done since your Spearbit onboarding. This can be other web3 audits you've done outside of Spearbit, and web2 security consulting as well.
3. A summary of why you think you should be promoted to the next level- emphasis on technical AND soft skills.

We aim to introduce it as a means of reducing evaluators cognitive load during assessment time. An updated portfolio also has multiple benefits for the person creating it. Therefore, we believe this method is beneficial to everyone, both regarding promotions and on a personal / professional level.

SEAL engagements. A classic, collaborative Spearbit audit led by LSRs who pose questions and challenges during the audit in order to test and evaluate Junior Security Researchers and Associate Security Researchers skills.

Performance is measured subjectively. See example of table below:

SEALs are introduced as Spearbit's response to the need of upskilling Junior Security Researchers into Security Researchers by offering guided audits.

Participating in SEAL engagements require that the average Junior Security Researcher and Associate Security Researcher rate of 3k/week and 6,25k /week must be lowered in order to fit the clients budget.

SEAL-X engagement: Competitive, individual audit where auditors try to find the maximum amount of issues on their own using different tools and resources. Issues are submitted to SRs and LSRs for reviewing and objective evaluation.

See an example of an evaluation template below.

LSR council. For Security Researchers to become LSRs, 3/5 LSRs + 2 core team members must vote in favour of the applicant. A Spearbit portfolio must also be submitted for evaluation.

Junior Security Researcher to Associate Security Researcher

Fixed Requirements:

• Participated in minimum 3 Spearbit audits.
• Must submit a portfolio.
• Can apply once per quarter.

Junior Security Researcher submits portfolio proving he has reached an Associate Security Researcher level after 3 Spearbit audits.

The Spearbit core team will evaluate such portfolio with the help of an SR and LSR. If the applicant's portfolio proves notable experience in blockchain security over that of a Junior Security Researcher, a new freelance contract applying the new rate and highlighting new responsibilities will be sent for the applicant to sign.

Responsibilities at this level include those of an Junior Security Researcher plus client bug fix reviews.

Associate Security Researcher to Security Researcher

A notable skill gap exists between Junior Security Researchers / Associate Security Researchers and Security Researchers. It is imperative that skills and knowledge are evaluated as objectively as possible.

• Participated in minimum 5 Spearbit audits.
• Must submit portfolio.
• Must have participated in 3 SEALs.
• Can apply once per quarter.

Security Researcher to Lead Security Researcher

Evaluating a Security Researcher's skills is a hard task. It is therefore that part of this process is directly outsourced to LSRs who must vote in favour or against an applicant's promotion request.

• Participated in minimum 9 Spearbit audits.
• Must submit a portfolio.
• Can apply once per quarter.

A council of LSRs (preferably made out of those who have previously participated in audits with the applicant) will review the applicants portfolio, track record, skillset, etc.., and will reach a decision if the applicant is ready to perform as, and take the same responsibilities a Lead Security Researcher has.

FAQs

• Why can someone automatically become an SR/LSR after onboarding?

Because of a provable track record.

• Why do i need "X" Spearbit audits to prove my worth?

To build a provable track record and gather data.

• What happens if my appliaction is denied?

You can apply every quarter.

---

Change Log

Incorporating community feedback.

+ Create knowledge archive with the help of the community.
+ SR must participate in an audit paired with an LSR and get trained/coached to tackle future 1 LSR led engagements. 

Junior Security Researcher to Associate Security Researcher:

+ Participated in Secureum RACE and obtained a positive score.
+ Participated on 1 SEAL engagement and obtained a score greater than 8/16.

Associate Security Researcher to Security Researcher:

+ 2 SEALS of which the average score must be greater than 12/16
- Must have completed SEAL-X.
+ Must have completed 2 SEAL-X finding on average more than 50% of the High Severity findings and more than 50% if Medium Severity findings.

[ebaizel]

Part of the process should verify that the candidate is already performing at the next level, so we're not only just looking at quantitative data like how many audits they have completed. For example, when going from Intermediate Apprentice to Security Researcher, the candidate could be assessed on things like:

• understanding protocol tokenomics
• understanding Web2 security attacks, node DDOS, server exploitation, phishing, Nation State hacking campaigns, etc..
• understanding MEV practices: PGAS, front running, arbitrages, liquidations, sandwiching, liquidity sniping, tx censoring, bots...

The candidate shouldn't be expected to have all the next level skills. Perhaps the required skills to assess could be categorized as critical vs important; and the candidate must demonstrate all the critical ones.

[misirov]

Excellent point. What would you suggest to assess such skills?

[StErMi]

Should Spearbit have some kind of knowledge archive for each of the points in the requirements to allow someone willing to pursue the promotion being able to get the required knowledge?

Sometimes it's difficult to find the high-level resources (articles, videos, books, CTFs, example, exercises and so on) to master those skills.

[misirov]

Interesting point. We did consider a knowledge archive. It can definitely be created with the help of the community.

[ebaizel]

Did anything ever get started for this knowledge archive?

[evmlionel]

Is the knowledge archive still a thing?

[misirov]

Currently not, but the Armory may become it in the future

[StErMi]

LSR role is a crucial one, and it can happen that in an audit there's the need of just one LSR.

Would make sense to have a period of 1/2 audit where the SR promoted will be paired with an experienced LSR that can prepare him for the role when eventually he/she will be alone? During this period, the SR would act as a LSR and the LSR paired with him/her would also focus on training him/her.

[misirov]

Agreed. Added.

[grmpyninja]

I got to say I kind of like it. It is a bit long and in some cases very descriptive when in other cases a bit concise, but still it is quite thorough and transparent. So far the only comprehensive list I was aware of was https://github.com/razzorsec/AuditorsRoadmap and now both can complement each other.

Referring to those concise skills items, I also do kind of agree with some comments on discord(forum) that some areas are very wide (e.g. Web2 Security), listed in a generic way and it can take like months to acquire those skills, whether others are very detailed and can be achieved way quicker. Unless I overestimated the confidence level. Anyway, I guess it's a matter of communication whether some items should be considered like mandatory (hard requirement) or rather like a good to have bonus from prior experience/job. After all each audit is a team work and it's for sure beneficial to match people with prior exp in e.g. development, others in sysadmin, others in Web2 web app/infra IT sec etc. or according to the project's needs as they can differ as well. Best situation is like when some knowledge overlaps when other auditors complement each other, but I'm also just wondering what the path should look like for a person who has just started in Web3 security and might not have that prior exp. Should it be like such person should get a job as sysadmin/info sec consultant/developer first?

In the end, I'm also not entirely sure which approach is better - pushing people in many directions or more narrow specialisations. It's always difficult in IT Sec both Web2 & Web3. As I assumed 'ideal knowledge' means that each has to decide on his/her own as both paths are useful in various cases.

Referring also to the comment regarding critical/important skills as it kind of touches the similar area, I think that maybe it would be a good idea leaving it as it is for now to not make it too complex and over time add some labels/tags for some skills (or add new skills items) depending on the demand, to help prioritise stuff to learn and to up-skill people in the right direction.

Anyway, great job to see it progressing :) I'm looking forward to more audits, SEAL/SEAL-X and how promotions go and this process is implemented in practice.

[misirov]

Suggestion: Introducing new role naming convention

Titles are important and we aim to give our community their deserved respect. Therefore we propose a new role naming convention. Please do vote in favor or against for these changes to be applied across the DAO.

- Apprentice
+ Junior Security Researcher

- Intermediate Apprentice
+ ???

+ Security Researcher

+ Lead Security Researcher

[misirov]

Lets us discuss and see what we can do. Although i like the new scheme, i get the feeling that we are not understanding the depth of all potential issues this change may introduce.

Motivation for the name change:
0 - Being called an "Apprentice" does not help in finding other opportunities. If we were to do A / B testing with Apprentice / Junior Security Researcher, a higher percentage of users / clients / employers will gravitate toward the second option. Therefore it helps in finding new opportunities.
1 - Being called an Apprentice is not serious, the name does not justify / reflect the cost and it does not sound professional. From a client perspective, Apprentices are not needed when you can get SR's and LSR's. Junior Security Researchers on the other hand does justify the cost
2 - Several users raised the point that Intermediate Apprentice is confusing and also not serious.
3 - Increase in members motivation and self esteem
4 - If we want our role definition to be used across the industry, Apprentice and Intermediate Apprentice do not sound very compelling.

This change should be rather straightforward and introduce no issues:

- Apprentice
+ Junior Security Researcher

This change shifts perception and the implications are not fully understood:

- Intermediate Security Researcher
+ Security Researcher
- Security Researcher
+ Senior Security Researcher

Example of some issues:
1️⃣ - Explaining to existing clients why they are paying less for "Security Researchers", thus creating confusion and potential disappointment.
2️⃣ - (not a problem) Changing docs, presentation decks, discord roles..
3️⃣ - Past reports show "Apprentices" and "Security Researchers". Under the new proposed name scheme someone could call himself a "Security Researcher" and reference a previous report under the old naming scheme in order to "make it look like they are at the same level as a prestigious Security Researcher is", which can be used as a tool to intentionally AND / OR unintentionally confuse/deceive people.
4️⃣ - Decoupled meaning from the InfoSec industry, where a Security Researcher has more technical skills than what a current Intermediate Apprentice has, therefore rewarding the title holder with reputation beyond the skill level
5️⃣ - Short-Mid term name habituation phase will introduce errors. From a perception point of view, Intermediate Apprentice's skill and the general understanding of what a Security Researcher's skill is becomes misaligned.

thoughts? 🤔

[misirov]

Implemented

- Apprentice
+ Junior Security Researcher
- Intermediate Apprentice
+ Associate Security Researcher

[m0ham3dx]

In reference to the following text

while complementary data is collected from each engagement performance, social media profiles, references, contributions to the space, etc

imho the requirement for the social media profiles requires some justification , atm the most popular social media profiles are going downhill with multiple problems , and some of us dont use it as a professional level , maybe the use of Complimentary Data could require some more details..

[AvinashNayak27]

How do I apply to join the Spearbit as a Junior security researcher

[misirov]

NOTE
To apply for Spearbit, participate and score well on cantina.xyz/competitions . Cantina will be used as a source of truth to evaluate performance and technical skillset.

1. Participate on competitions and score in the top winners.
2. Fill in your Cantina profile (e.g., cantina.xyz/u/cmichel ) with relevant experience.
3. The Spearbit core team will either contact you, or you can reach out to the core team for an application.

Remember that Spearbit is the industry leading network of elite Security Researchers. Best of lucks!