Web3 Security Maturity Model

The Web3 Security Maturity Model, developed by Filecoin Foundation’s security team, is a comprehensive framework designed for decentralized technology organizations and projects. It allows anyone to perform a structured self-assessment with the goal of helping Web3 contributors better evaluate and enhance their security posture across all aspects of development and operations.

A futuristic digital shield with a lock icon in the center, surrounded by binary code and glowing blue circular elements, symbolizing cybersecurity and data protection.
Tailored Security Maturity

How to Leverage the Model

The Web3 Security Maturity Model is broken up into 9 core functions. Each core function is divided into functional areas that are broken into two streams with control criteria.

This maturity framework does not require all organizations to achieve the maximum maturity level in every category. Instead, it allows organizations to define and measure their security activities in a way that is tailored to their specific needs, and it encourages organizations, projects, and users to adapt the framework based on their unique environment, goals, and existing security maturity.

  • 1

    Level 1: Initial and Ad-hoc

    Represents an initial awareness and a basic understanding of the concept being evaluated (e.g., security culture). There is minimal formalization and process/documentation may not exist.

  • 2

    Level 2: Defined and Repeatable

    Indicates that structured programs are in place, aimed at promoting, reinforcing, and sustaining the practices necessary to support the area being evaluated. There is an emphasis on proactive capabilities in security.

  • 3

    Level 3: Optimized and Measurable

    Reflects a focus on continuous improvement. Practitioners use metrics and feedback loops to refine their security processes and practices constantly. Capabilities are driven by data and metrics to make informed security decisions, and there is a focus on optimizing security efforts based on evolving threats and lessons learned.

Building Blocks of Security

Explore the Core Functions

Leadership and Organizational Principles

1. Vision and Security Culture

1.1 Culture Building
  • A team or individual is available to drive the security program
  • Level 1: Is there an initial awareness and understanding of security culture within the organization?
  • Level 2: Are structured programs in place for promoting and reinforcing a strong security culture?
  • Level 3: Is there a pervasive, deeply ingrained security culture, actively supported and enhanced by all team members?
1.2 Vision Communication
  • A formal reference for security vision or mission statement exists for the organization/project
  • Organizational or project goals are clearly defined
  • Stakeholders for security decisions are defined
  • Level 1: Is the security vision clearly defined and communicated within the organization?
  • Level 2: Is the security vision integrated into broader organizational goals and regularly reinforced through communication?
  • Level 3: Is there ongoing, dynamic communication about the security vision, including feedback loops with various stakeholders?

2. Organizational Structure for Web3 Security

2.1 Structure Adaptation
  • The organizational structure considers the challenges of distributed teams such as timezones, equipment, events, and physical access to technology
  • Staff and personnel are clearly delineated from contributors
  • Input from a greater ecosystem or community is considered in developing organizational structure
  • Partnerships and related organizations are clearly defined
  • Level 1: Is there a basic structure in place that supports Web3 security needs?
  • Level 2: Does the organizational structure adapt to evolving Web3 security challenges and integrate cross-functional teams?
  • Level 3: Is the structure highly adaptive, promoting agility and rapid response to Web3 security trends and threats?
2.2 Role and Responsibility Clarity
  • Clear documentation of security roles/responsibilities
  • Regular updates and communication about role changes and security updates
  • Established channels for udpates and feedback
  • Level 1: Are basic roles and responsibilities for security defined within the organization?
  • Level 2: Are roles and responsibilities for security clearly detailed, communicated, and understood across the organization?
  • Level 3: Is there a high level of role clarity, with ongoing refinement and alignment of responsibilities as the organization evolves?

3. Performance Metrics and Continuous Improvement

3.1 Metric Development and Tracking
  • Metrics are defined for tracking security and security activities
  • Systems exist to track security metrics and objectives
  • There is a regular review of collected data
  • Level 1: Are basic performance metrics for security established and tracked?
  • Level 2: Are these metrics regularly reviewed and used to guide decision-making?
  • Level 3: Are there advanced, comprehensive metrics in place, covering diverse aspects of security, and regularly used for strategic planning?
3.2 Improvement Initiatives
  • A roadmap for security exists alongside the security strategy
  • The roadmap is objectively measurable
  • Stakeholders have approved or agreed to the roadmap for security
  • Level 1: Are there initial efforts to identify and implement security improvement initiatives?
  • Level 2: Is there a structured process for regularly initiating, tracking, and reviewing improvement projects?
  • Level 3: Is there an established culture of continuous improvement, with initiatives systematically integrated and aligned with organizational learning?

Relevant Policies and Maturity Levels

1. Decentralization Governance

1.1 Culture Building
  • You’ve adopted a set of standards that are aligned with organizational or project goals
  • Level 1: Are there initial policies established to govern decentralization aspects of the project?
  • Level 2: Are these policies regularly reviewed and enforced with clear mechanisms and accountability?
  • Level 3: Is there a comprehensive, dynamic approach to policy creation and enforcement, regularly updated to reflect evolving decentralization challenges?
1.2 Community Involvement
  • You have initiated relationships or communication with the greater ecosystem or community
  • Level 1: Is there basic involvement of the community in the governance process?
  • Level 2: Is community feedback systematically integrated into governance decisions and policy developments?
  • Level 3: Is there a robust, continuous engagement with the community, driving governance policies with active participation and co-creation?

2. Compliance and Legal Frameworks

2.1 Regulatory Alignment
  • You have established a list of regulatory considerations for your project or organization
  • Level 1: Are there efforts to understand and align with basic regulatory requirements?
  • Level 2: Is there a structured process for ensuring ongoing compliance with a wider range of regulatory frameworks?
  • Level 3: Is there a proactive approach to regulatory alignment, including anticipation of future regulations and active involvement in regulatory discussions?
2.2 Legal Risk Assessment
  • You have engaged legal counsel to determine legal responsibilities and risks
  • Level 1: Is there a basic assessment of legal risks associated with the project's operations?
  • Level 2: Are legal risks systematically identified, assessed, and integrated into broader risk management processes?
  • Level 3: Is there an advanced, proactive approach to legal risk assessment, including regular updates and adaptations to legal strategies based on emerging trends?

3. Policy Maturity Assessment

3.1 Policy Review Process
  • You have a set of policies available fro review
  • You have reviewed these processes at some point after their creation
  • Level 1: Is there a basic process in place for the review of existing policies?
  • Level 2: Are policy reviews conducted regularly with documented processes and stakeholder involvement?
  • Level 3: Is there a sophisticated, iterative process for policy review, incorporating diverse inputs and continuous learning?
3.2 Adaptation to Emerging Threats
  • You are aware of emerging threats for your ecosystem or project
  • You have addressed one of these threats with your teams or ecosystem
  • Level 1: Are policies occasionally updated to address new or emerging threats?
  • Level 2: Is there a structured approach to regularly adapt policies in response to evolving security landscapes?
  • Level 3: Is there a proactive, anticipatory strategy in place for adapting policies, ensuring agility and responsiveness to future threats and challenges?

Risk Management

1. Risk Assessment and Prioritization

1.1 Risk Identification
  • You’ve identified security risks within the organization
  • You are actively considering risk in business decisions
  • Level 1: Are basic methods in place for identifying risks, with an initial risk register established?
  • Level 2: Is the risk register regularly updated with identified risks using systematic methods and tools?
  • Level 3: Is there a comprehensive, proactive approach for risk identification, with an advanced, constantly updated risk register incorporating community and stakeholder feedback?
1.2 Risk Prioritization
  • You’ve measured your risks and are tracking them in a central location
  • You have a risk register and method of classification of risks
  • Level 1: Are risks prioritized in the risk register based on basic criteria such as likelihood and impact?
  • Level 2: Is there a formal, documented process for risk ranking in the risk register, involving consensus building among stakeholders?
  • Level 3: Are risk prioritization processes in the register regularly reviewed and refined, incorporating changing risk landscapes and stakeholder insights?

2. Risk Mitigation and Management

2.1 Mitigation Strategies
  • You’ve mitigated risks discovered in a risk register
  • You tested for complete mitigation of the risk
  • You have a plan for addressing identified risks
  • Level 1: Are basic mitigation strategies identified for risks in the risk register and implemented?
  • Level 2: Are mitigation strategies in the register regularly tested for effectiveness, with clear accountability assigned?
  • Level 3: Is there a comprehensive mechanism for continuous improvement of mitigation strategies in the risk register, integrating feedback loops and best practices?
2.2 Continuous Risk Monitoring
  • You are monitoring risks identified in a risk register and have checked in on their status at least once
  • Level 1: Are there initial systems for ongoing monitoring of risks in the risk register?
  • Level 2: Is there an advanced, structured approach for continuous monitoring of risks in the register with clear reporting protocols?
  • Level 3: Are comprehensive tools and technologies employed for real-time monitoring of the risk register, with sophisticated processes for risk reporting and effectiveness evaluations?

Identity and Access Management

1. Access Control Mechanisms

1.1 User Authentication and Authorization
  • You have a method of tracking users or identities within your org or project by alias or identity
  • You have a method of integrating authentication mechanisms into your technical and business or project workflows
  • Level 1: Is there a basic system for user authentication, possibly using common credentials or simple key-based access for participants?
  • Level 2: Are there more advanced, multi-factor authentication systems in place, catering to the decentralized and pseudonymous nature of users, while ensuring secure access control?
  • Level 3: Is there a sophisticated, dynamic authentication and authorization system that adapts to user roles and contexts, integrating decentralized identity solutions where applicable?
1.2 Privilege Management
  • You have identified roles for each person in the project or org
  • There is some separation of roles / permissions for identities
  • Level 1: Are basic privileges assigned based on user roles, even if these roles are not tied to real-world identities?
  • Level 2: Is there an advanced system for managing privileges that reflects the dynamic and distributed nature of the team, with periodic reviews?
  • Level 3: Are privilege management processes highly evolved, with automated role-based access control and continuous monitoring for anomalous access patterns?

2. Identity Verification and Management

2.1 Identity Proofing and Verification
  • You can verify authenticity of identities within your workflows
  • Level 1: Is there a basic form of identity proofing, possibly relying on community reputation or existing trust networks?
  • Level 2: Are there more structured identity verification processes that balance the need for some form of reliable identification with the respect for pseudonymity?
  • Level 3: Is there a comprehensive identity verification system that effectively manages risk while accommodating the decentralized, pseudonymous nature of the community?
2.2 Identity Lifecycle Management
  • There is a method for provisioning and deprovisioning identities or accounts
  • Level 1: Is there an initial process for managing the lifecycle of identities (creation, maintenance, deletion) in a decentralized environment?
  • Level 2: Are there advanced processes in place for systematically managing the identity lifecycle, including periodic verification and adjustment of access rights?
  • Level 3: Is the identity lifecycle management process fully integrated, featuring continuous updating and refinement, and leveraging decentralized technologies where appropriate?

Asset Management

1. Digital Asset Identification

1.1 Asset Cataloging
  • There is a basic understanding of business assets
  • There is some mechanism of tracking at least one of these business assets
  • Level 1: Is there a basic process in place to catalog digital assets, identifying key assets within the organization?
  • Level 2: Are cataloging processes more refined, with comprehensive documentation of digital assets, including those in decentralized environments?
  • Level 3: Is there an advanced, automated system for asset cataloging, continuously updated and integrated with other asset management systems?
1.2 Asset Classification
  • Assets can be divided by intent, responsibility, and purpose
  • Level 1: Are digital assets classified into basic categories based on their type or purpose?
  • Level 2: Is there a more detailed classification system, considering factors like criticality, sensitivity, and regulatory requirements?
  • Level 3: Is asset classification highly sophisticated, with dynamic categorization that adapts to changes in the asset's use or environment?

2. Asset Lifecycle Management

2.1 Lifecycle Process Definition
  • There is a method for provisioning and deprovisioning assets
  • There is an asset inventory
  • Level 1: Is there a basic definition of the lifecycle stages for digital assets?
  • Level 2: Are lifecycle processes more developed, with clear guidelines and procedures for each stage of the asset's lifecycle?
  • Level 3: Is there a comprehensive and dynamic management of the asset lifecycle, with automated processes and continuous refinement based on asset performance and feedback?
2.2 Lifecycle Compliance Monitoring
  • There are compliance, regulatory, or framework requirements for monitoring
  • There is a method for tracking these requirements
  • Level 1: Is there a basic monitoring system in place to ensure compliance with defined lifecycle processes?
  • Level 2: Are monitoring processes more advanced, with regular reviews and audits to ensure lifecycle compliance?
  • Level 3: Is lifecycle compliance monitoring highly integrated with other asset management systems, featuring real-time monitoring and proactive compliance enforcement?

Data Protection Practices

1. Data Privacy Compliance

1.1 Compliance with Privacy Laws
  • There is an understanding of privacy laws required by the organization or project
  • There is a need to adhere to specific privacy laws within a region or customer base
  • Level 1: Is there basic awareness and compliance with major privacy laws relevant to the organization's operations?
  • Level 2: Are compliance processes more comprehensive, covering a wider range of laws and regulations, and regularly reviewed?
  • Level 3: Is there an advanced, proactive system for privacy compliance, including regular audits and updates to address new regulations and global standards?
1.2 Data Minimization and Retention
  • There is a need to handle or control data in a structured way
  • There is a capability to apply retention policies against data
  • Data can be separated by classification
  • Level 1: Are there initial policies in place focusing on data minimization and defining basic data retention periods?
  • Level 2: Are data minimization and retention policies more detailed, adhering to best practices and specific regulatory requirements?
  • Level 3: Is there a sophisticated approach to data minimization and retention, with ongoing evaluation and adaptation of policies based on data lifecycle and privacy impact assessments?

2. Data Security and Encryption

2.1 Implementation of Encryption
  • There is a method for encrypting data
  • There is a basic understanding of cryptographic functions and algorithms
  • Level 1: Is basic encryption used for sensitive data, particularly data at rest and in transit?
  • Level 2: Are encryption practices more refined, employing stronger and more diverse encryption standards tailored to different types of data and transmission?
  • Level 3: Is the implementation of encryption advanced, using state-of-the-art encryption technologies and regularly updated to counteract emerging threats and vulnerabilities?
2.2 Access Control to Sensitive Data
  • There is a method for applying access control to sensitive data
  • There is an understanding of roles and responsibilities for data within the organization or project
  • Level 1: Are there basic access controls in place to limit access to sensitive data?
  • Level 2: Are access control mechanisms more sophisticated, including role-based access controls and periodic access reviews?
  • Level 3: Is there a comprehensive, dynamic access control system, utilizing advanced techniques like context-aware and conditional access policies, continuously monitored and refined?

Software Security

1. Decentralized Application Security

1.1 Security Best Practices for DApps
  • Security is considered formally for the contracts being developed for the application
  • Security is considered for DApp front ends if they exist
  • Some element of security function is applied to DApps
  • Level 1: Are there initial best practices identified and implemented for the security of Decentralized Applications (DApps)?
  • Level 2: Are these best practices more comprehensive, regularly updated, and aligned with emerging security trends in the decentralized space?
  • Level 3: Is there an advanced set of best practices, widely recognized and adhered to, with proactive measures to anticipate and address future security challenges in DApp development?
1.2 Smart Contract Security
  • Contracts are reviewed for security in some way
  • Audits have been conducted or are planned for the contracts associated with the project or team
  • There is internal knowledge of smart contract security and best practices
  • Level 1: Is basic security in place for smart contracts, such as using known patterns and simple audits?
  • Level 2: Are smart contract security measures more rigorous, including thorough audits, formal verification, and vulnerability scanning?
  • Level 3: Is there a sophisticated, continuous security process for smart contracts, employing cutting-edge tools and practices, and integrating community feedback for ongoing improvement?

2. Third-party Code Review

2.1 Review Procedures
  • Code reviews are conducted for third party components
  • There is an inventory of third party components available
  • Level 1: Are there basic procedures in place for the review of third-party code, focusing on major known vulnerabilities?
  • Level 2: Are review procedures more comprehensive, regularly updated, and include systematic checks for a broader range of security issues?
  • Level 3: Is there a highly advanced code review process, integrating automated tools, continuous integration checks, and peer review systems?
2.2 Community-Based Reviews
  • There is engagement with the community to peer review third party code
  • There are published issues or vulnerabilities for the third party
  • Level 1: Is there an initial engagement with the community for code review on an ad-hoc basis?
  • Level 2: Are community-based reviews more structured and regularly solicited, with clear guidelines and incentives for community participation such as a bug bounty program?
  • Level 3: Is there an established, robust community review ecosystem, with ongoing interaction, collaboration, and recognition systems to encourage active community involvement?

3. Security in Project Stewardship

3.1 Advisory Standards
  • Standards exist for extended ecosystem of the project
  • There have been submissions from the project or organization to the greater ecosystem
  • There is some engagement with the greater community
  • Level 1: Are basic advisory standards in place for guiding projects on security matters?
  • Level 2: Are these standards more detailed, tailored to various types of projects, and regularly reviewed for relevance and effectiveness?
  • Level 3: Are advisory practices highly advanced, regarded as industry standards, and include a proactive approach to advising on emerging security threats and technologies?
3.2 Feedback and Improvement Loop
  • The project or organization is accepting of feedback from external stakeholders
  • Feedback has been or is planned for incorporation into the product
  • Level 1: Is there a basic process for receiving and incorporating feedback into security advisory practices?
  • Level 2: Is feedback systematically solicited and analyzed, with structured mechanisms for integrating insights into continuous improvement of advisory services?
  • Level 3: Is there a mature, dynamic feedback and improvement system, deeply integrated into the stewardship approach, fostering ongoing adaptation and enhancement of security advisory services?

Maturity of Security Documentation, Outreach, and Developer Training

1. Documentation Standards and Accessibility

1.1 Development of Documentation
  • You have created some type of documentation around your development process
  • You have a development process that can be described as structured
  • Level 1: Is there a basic level of security documentation developed, covering key security processes and policies?
  • Level 2: Are documentation practices more comprehensive and detailed, covering a wide range of security topics relevant to the organization?
  • Level 3: Is there a sophisticated, dynamic documentation system, regularly updated with the latest security information and best practices?
1.2 Accessibility and Clarity
  • Your documentation is available in an accessible location to your developers or stakeholders
  • Level 1: Is the security documentation easily accessible to relevant stakeholders, and written in a clear, understandable manner?
  • Level 2: Are there efforts to enhance the clarity and accessibility of documentation, including tailoring it to different audience groups?
  • Level 3: Is documentation highly accessible, user-friendly, and effectively communicated across diverse platforms, ensuring wide reach and comprehension?

2. Community Engagement and Outreach

2.1 Community Engagement Initiatives
  • You have engaged your community and/or constituents in order to solicit feedback around security matters
  • These engagements cover security as a topic
  • Level 1: Are there initial initiatives for engaging with the broader community on security matters?
  • Level 2: Are community engagement initiatives more structured and regular, covering various forums and platforms?
  • Level 3: Is there a robust, ongoing community engagement strategy, fostering strong relationships and active collaboration on security issues?
2.2 Public Security Awareness
  • You are publishing or showcasing security on a regular basis, at least annually for your community or internal teams
  • The community is aware of these publications and they are easily accessible
  • Level 1: Is there a basic effort to raise security awareness among the public or within the community?
  • Level 2: Are these efforts more targeted and extensive, using a variety of channels and methods to reach a broader audience?
  • Level 3: Is there a comprehensive approach to public security awareness, regularly updated and tailored to address emerging security challenges and trends?

3. Developer Security Education

3.1 Educational Resources and Training
  • You have created resources and/or programs for developers in your ecosystem including but not limited to whitepapers, blogs, training documents, videos, or other mediums for training
  • Level 1: Are there basic educational resources and training programs in place for developers on security topics?
  • Level 2: Is developer training more advanced, covering a wide range of security topics, with regular updates and refinements?
  • Level 3: Are there comprehensive, state-of-the-art educational programs and resources for developers, including hands-on training, workshops, and continuous learning opportunities?
3.2 Continuous Learning and Update
  • Training materials have been updated at least once
  • Level 1: Is there a process to periodically update training materials and resources?
  • Level 2: Are training and educational resources regularly reviewed and updated with the latest security knowledge and practices?
  • Level 3: Is there a sophisticated, adaptive learning ecosystem for developers, integrating the latest security advancements and feedback for continuous improvement?

Incident Response

1. Decentralized Incident Management

1.1 Incident Handling Procedures
  • You have classified an incident and responded to it
  • There is a basic definition or team for incident handling
  • You have documented a process for responding to incidents
  • Level 1: Are there basic incident handling procedures in place, addressing key steps to be taken during an incident?
  • Level 2: Are these procedures more comprehensive, detailed, and tailored to decentralized environments and the specific nature of incidents?
  • Level 3: Is there a sophisticated, well-documented incident handling process, regularly tested and updated, incorporating advanced tools and strategies suitable for decentralized contexts?
1.2 Cross-Team Coordination
  • Incident response plans or activities are not limited to one team or just the security tea
  • An incident response roster has been defined
  • Level 1: Is there a basic level of coordination among different teams during incident response, especially in a decentralized setting?
  • Level 2: Are coordination efforts more structured, with clear roles and communication channels established across distributed teams?
  • Level 3: Is there an advanced, seamless cross-team coordination mechanism, leveraging decentralized communication tools and real-time data sharing for effective incident response?

2. Incident Reporting and Transparency

2.1 Reporting Mechanisms
  • Incidents are tracked and reported in a unified location
  • Templates are defined for incident tracking
  • Level 1: Are there initial mechanisms in place for reporting incidents, both internally and externally where necessary?
  • Level 2: Are reporting mechanisms more comprehensive and systematic, ensuring timely and accurate incident reporting to all relevant stakeholders?
  • Level 3: Is there a sophisticated incident reporting system, providing real-time alerts and updates, with a high degree of transparency and accountability?
2.2 Community Communication
  • Communication channels for incidents are defined
  • There is a method for triggering an incident
  • A marketing team or person dedicated to external comms is part of the incident response team
  • Level 1: Is there a basic process for communicating incident-related information to the broader community?
  • Level 2: Are these communication efforts more structured and frequent, ensuring the community is well-informed and trust is maintained?
  • Level 3: Is there a proactive, continuous community communication strategy, incorporating feedback mechanisms and fostering open dialogue about incidents and responses?

3. Post-Incident Analysis

3.1 Analysis and Lessons Learned
  • A retrospective has been conducted for an incident
  • The retrospective was or is documented
  • Level 1: Is there a basic process for analyzing incidents post-resolution and extracting key lessons?
  • Level 2: Are post-incident analyses more detailed, leading to actionable insights and systematic improvements?
  • Level 3: Is there a comprehensive, iterative process for post-incident analysis, integrating advanced analytics, and consistently applying lessons learned for continuous improvement?
3.2 Feedback Integration
  • Information from the retrospective was positively included in the response process
  • Level 1: Is there a mechanism to capture feedback from incident responses and integrate it into future plans?
  • Level 2: Are feedback integration processes more structured, ensuring that all insights from incidents are systematically used to enhance response strategies?
  • Level 3: Is there a dynamic, ongoing feedback integration system, fostering a culture of learning and adaptability across the organization?