📢 Contributing to W3OS
W3OS is an open standard developed collaboratively by the Web3 security community. Contributions by anyone are welcome.
- 📖 Read the Contributing Guide for detailed information on how to propose changes, add new sections, and improve existing content
- 💬 Join the Telegram Discussion Group to participate in ongoing collaboration and connect with other contributors
Help build the comprehensive operational security standard for Web3 organizations.
The Web3 Operational Security Standard (W3OS) is for Web3 startups, DAOs, exchanges, wallets, infrastructure projects, auditors, and operations/security leads who need a straightforward way to measure and improve operational security without diving into code-level detail.
W3OS is an open standard that defines comprehensive security requirements for organizations operating in Web3. W3OS provides a framework for:
- Organizations to measure and maximize their operational security posture against traditional and Web3-specific risks
- Auditors to consistently and comprehensively evaluate organizational OpSec posture and easily manage review efforts
- Stakeholders to evaluate the security maturity of their organizations and reduce risk
You can use the interactive page to track your progress through W3OS requirements and measure your organization's level of compliance with each section of the standard.
The various security guides are available to help you implement the required security controls.
There are account configuration guides for many popular services and software - each provides you with a concrete checklist for securely configuring both admin and user accounts.
Unlike other frameworks, W3OS is focused entirely on operational security maturity — a complement to code audits that directly and exhaustively addresses security risks crucial to business continuity, user safety, and peace of mind for stakeholders.
Web3 organizations face unique operational security challenges that traditional Web2 security frameworks don't adequately address:
- Digital Asset Management: Securing cryptocurrency wallets, multi-signature schemes, and on-chain operations
- Community-Driven Operations: Securing social channels, governance processes, and public communications
- Rapid Development Cycles: Balancing security with the fast-paced nature of Web3 development
W3OS is designed to be straightforward and actionable with meaningful impact, not like a corporate compliance policy. It is structured like a checklist, allowing you to effectively identify weak areas in your OpSec and keep track of filling those gaps
The risk: If communications are hijacked, trust is eroded and brand reputation is damaged as users are hurt by misinformation.
**What W3OS calls for:
- Review who has admin rights
- Limit control to a small, trusted group
- Require 2FA on all accounts
- Keep a short “what to do if hacked” playbook
Why this matters:
- Signals maturity to investors and partners
- Reassures the community their safety is taken seriously
- Avoids chaos — no scrambling in an incident
- Builds credibility with clean, responsible operations
The risk: Investors want proof an organization is not a liability.
**What W3OS calls for:
- Document who controls treasury wallets and require thorough multisig approvals
- Maintain logs of access/device security checks
- Prevent social engineering of organization members
- Protect against malicious/compromised developers and new hires
- Have a one-page incident response outline
- Prove communication channels are secure (no rogue Discord mods, verified X control)
Why this matters:
- Speeds up due diligence and builds investor confidence with controls in place, not just promises
- Positions teams as enterprise-ready, even if early-stage
- Reduces friction in closing deals and establishing partnerships
|
|