If you've been keeping up with the Web3 security space on social media, you'll know it can get a bit hectic. Thousands of posts rolling through every day with all kinds of varying advice, tons of people posting huge bounties, courses constantly being rolled out and updated. It can all become quite a lot, and could leave a lot of people with a lot of questions. While you're scrolling across these posts a lot of questions might be popping up in your head; maybe it's about a specific technique an auditor used, an organization they are involved in, or a billion other things. I wanted to go ahead and give you almost across the board approval to send them your question. Let me preface this with some extra advice though.
Troubleshooting is a huge part of any career in cybersecurity (or technology in general). If you can't troubleshoot and come to your own conclusions, you're dead in the water. Some people consider themselves "bad at technology" or "bad at troubleshooting", and that's just not true. There's a level of effort that needs to be put in to learn any new tech or skill, and the same thing occurs with troubleshooting. It certainly can be seen as a mindset, but it's also something that can be learned and developed. So as a forewarning, before you do directly reach out to someone and send them your question, make sure you've fully thought it through and done your own research in order to answer it yourself -- as this is where most of the personal growth will occur.
The reason I bring this up is because @chrisdior777 mentioned it here (alongside some other killer tips). As long as you are being respectful and polite, the worst thing that can really happen is someone says no or ghosts you, which doesn't matter at all. The best thing that could happen is you make a new friend to discuss web3 security with, which is a phenomenal outcome! In his post he makes a direct reference to the Telegram ETHSecurity Community which is a great place to meet other people in the space, but don't limit yourself to just one community, get plugged into a few that you feel like are a good fit. There's some on Discord too like Defenders Den, Cyfrin, DeFiHackLabs, and many more, just keep your eyes peeled!
And with that, here are the tips that Chris left on Twitter:
Read Web3 security experts' tweets daily.
Find a list of them here.
Read 1-2 articles daily.
Keep an eye on Twitter for auditor's personal blogs (usually in their bio).
Articles can also be found on platforms like Mirror, Paragraph, Substack, Medium, etc.
Study findings and attack vectors daily.
Check the repos where audit reports are published and stay up to date.
Read and analyze a lot of code.
Practice on an auditing platform like Code4rena and Sherlock.
Chat with fellow auditors.
Don't be afraid to send them DMs!
