Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 32 - windhustler
0 Plays2 seconds ago
riptide & windhustler discuss how he runs his audit business Burrasec, incentivizing your auditors, methods and tactics, SR talent, is Croatia a new SR hotspot, competing amongst other audit firms, thoughts about specialized audit business models, targeted bounty hunts as a service, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Welcome and Introduction
00:00:07
riptide
Welcome to the podcast.
00:00:11
riptide
we're here after many many technical difficulties with wind hustler for episode thirty two welcome to the podcast
00:00:20
windhustler
Hey man, are doing?
00:00:22
riptide
ah Oh, this piece of shit,
Previous Interruptions and Podcast Focus
00:00:25
riptide
man. So initially we were talking, what was a few days ago, last week or something, and then we were a good 10 minutes in, and then beautiful old school Europe, my power goes out because...
00:00:39
riptide
You know, i've I've decided to use more than one appliance and my solar panels, there was there was they're not generating any power. So yes, that's what happened. Everything turned off and we were cut off. So what we spoke about was actually highly classified. So it's a good thing it didn't get out there.
00:00:57
riptide
This was like true alpha. We were talking about some deep EVM bytecode hacks that only we know. So it's it's pretty good we didn't share this because yeah the blockchain would have been annihilated with too many bounties found. So just want let you know about that.
Guest Highlights and Podcast Direction
00:01:16
riptide
So Wind Hustler, ah what is up, sir? i actually found out that um you also have some sort of podcast, the Network Podcast. What is that all about? i haven't even listened to it.
00:01:27
windhustler
I just started with like something to you know just just have some format to to speak with people for for an hour. ah i didn't really focus like just on on on the security people but I did invite ah for example Jocelyn from Trail of Bits.
00:01:48
windhustler
He was there for an hour. I think he was with you as well right?
00:01:52
riptide
Yeah, great guy.
00:01:54
windhustler
Yeah great guy. also Jeffrey from Rare Skills and a few other guys that are, you know, just like DeFi, DeFi devs or like ah project founders and so on.
00:02:09
windhustler
So it's still kind of, your podcast is very well defined, you know, buggy, bounty hunters, you know, ah ah it's it's it's hard to invite.
00:02:20
windhustler
Okay, i mean, you you could invite, you know, folks from from some project, but, you know, mine is still in in its in its infancy so yeah I'm still kind of thinking what what direction to take ah but I run a web3 security agency right so ah I wanted to steer it more a bit more towards towards you know projects and builders in the space
00:02:46
riptide
And you could plug that too. Is that Burasek?
Launching a Podcast on Web3 Security
00:02:50
windhustler
yeah yeah Buddha yeah yeah Buddha security
00:02:50
riptide
Shout out to Burasek. Burra, Burra. I like it. I like it. And let me ask you, why did you decide to launch your own podcast? Because I wonder if it aligns with like, I couldn't talk to anyone in real life about what we talk about. So I said, the only way I could do this is start a podcast.
00:03:10
windhustler
Yeah, I mean, there's also a bit to it, right? We mostly talk through through messages, you know. I receive you and send, don't know, probably a hundred messages a day. so So this was a better, a slightly better format.
00:03:27
windhustler
um I also miss talking with people more. ah You know, a a lot of like researchers, engineers, even when you get on a call with them, then they're not too too talkative i mean it obviously depends so some of them are are you know uh quite talkative but others you know don't don't say much so yeah like having a podcast inviting people that you know ah like to discuss stuff like to talk talk about stuff is kind of refreshing you know
00:03:43
riptide
no
00:04:02
riptide
Yeah. you You never know who's actually going to speak to. Some guys are are buttoned up and some guys that you didn't know, you know, they they're not very active on Twitter, but you know, when they get on the mic there, they have a lot to say, which is really good.
00:04:16
windhustler
Yeah, yeah, very true.
Security Agency Work Setups
00:04:19
windhustler
I've been running like, a as I just mentioned, so I run a security agency and I've been experimenting, you know, with, but you know, modes of working so much for for the past, you know, six six months. So I've been thinking, should I have, you know, calls at the beginning and the ending of the audit? Should I have calls and in the middle?
00:04:41
windhustler
Are people going to work, you know, individually or in a team? You know, I'm just trying a bunch of a bunch of different work setups. And i think I think like having calls ah did the worst, you know.
00:04:57
windhustler
You just have like three people jump on a call, but you can hear in their voice that they don't like to...
00:05:03
riptide
They don't want to be there. Yeah.
00:05:05
windhustler
Yeah, yeah, yeah. They all want to be there.
00:05:06
riptide
What?
00:05:07
windhustler
like like I was expecting you know some ah you know brainstorming on the call, but yeah it wasn't there.
00:05:12
riptide
Hmm.
00:05:14
windhustler
Maybe maybe I can try a bit differently, a different approach.
00:05:17
riptide
yeah I was going to ask you, because so you you decided to make the move. and And, you know, after doing this working for other people and freelancing, you said, hey I'm going to make it official and make my own auditing company, security company.
Team Allocation and Workflows
00:05:31
riptide
um So you, I imagine you have some guys working for you. Do you have a model? now i don't know. And i don't know how new your business is. If you haven't got there, let me know. But do you have like a technique that you could share? Like when you get a client and you approach it, like how do you know how many guys to assign? Like how do you get them to work together? And are you still kind of developing that?
00:05:56
windhustler
so ideally you know ah you would get as many eyes as possible but um companies obviously have you know security budgets and and budgets for reviews so we try to do minimum of you know two researchers that that's a bare minimum although we did some reviews with just a single a researcher with which is not optimal right also that being said ah i will usually if even if it's like a um a medium-sized project and or or a bigger I'll try to push for for maybe like two seniors you know one ah medium medium the senior researcher and then i'll also try to put one or two juniors there so in the end you know it ends up being like four or five people
00:06:28
riptide
Mm-hmm.
00:06:54
windhustler
looking at your codebase which is quite quite the good so yeah yeah
00:07:01
riptide
and And do you spin up like a ah discord for each client and then have channels and guys are different takes by people working in teams and, you know, mostly everyone's remote. so I'm just curious, like, how do you use a notion? Like, how do you guys share ideas and stuff?
00:07:17
windhustler
so we have this very very neat like mode of working so for for the internal communication we use a discord channel so this is like a separate completely new discord channel where I just invite the researchers and obviously I'm also there and then we have like these categories like bug lead bug pending but bug confirmed and and and bug reported so these are like channels
00:07:47
riptide
Mm-hmm.
00:07:48
windhustler
the no categories and then under each of the this category for instance you can open new pack ah bug leads so it's kind of a different thread you know per per bug lead and and there we you know spin up ideas you know researchers open their leads so that's like the the internal workflow ah and then externally we obviously have like a a common group with the with the project where you know ah the engineers the developers founders you know of the project are and we also bring our researchers there um so yeah that's that's kind of the mode the mode of working although on some as I said on some engagements we do ah completely collaborative you know so everyone's just sharing ideas everyone just working at
00:08:44
windhustler
together then on so some other engagements we do it uh let's say an engagement is one week long uh or okay for simplicity like five days long five business days long uh well the researchers will share their you know bugs after three days and then after uh and then you know on the final uh fifth day uh so so that's there's also that
00:08:45
riptide
Mm-hmm.
00:09:12
windhustler
It really depends. i'm I'm still kind of exploring it a bit, but it depends on the engagement type. For example, recently we had this engagement where there wasn't that much code, but we were supposed to check the whole deployment process.
Auditing Strategies and Incentives
00:09:28
windhustler
It was some layer zero integration, also, you know, ah deployment scripts, you know, we were basically supposed to check everything. Then for for that kind of engagement, it it makes much more sense to have a like collaborative workflow but then maybe for some other engagements it makes sense to have it competitive um so yeah I mean ah as you said i worked with a lot of firms so most of them are well known like don't know Sherlock, Blackthorn you know Code for Arena Zenit Spearbit Bailsec what else Enigma
00:10:11
windhustler
So I've seen everything, you know, there are different working, also worked with Pashov back maybe two years ago.
00:10:15
riptide
Mm-hmm.
00:10:17
windhustler
So Pashov the great, yeah.
00:10:17
riptide
Pass off the grate. Yeah.
00:10:22
riptide
but It's interesting to hear your method and how you're kind of developing that method because there's so many different ways to do it. And some people find success yeah with their own method ah collaboratively or or kind of a PVP scenario or or double review. and there's There's all these different ways to do it.
00:10:42
riptide
And um so I read this book recently. It's called The Cuckoo's Egg. And it was actually shared on X. And it's this story from the 80s where this astronomer is working at he's working at a a university in California. And he just happens to to get into this thing where he's tracking a hacker, going through a system and then military networks and all these things. And anyway, he eventually talks to this guy at the NSA and the NSA is talking to him. and and they're telling them how they kind of approach ah vulnerabilities in code, which I thought was pretty funny because he says, we got we have two rooms and we have this this room. They they look at at the code that the other guys write and they say, hey, look,
00:11:25
riptide
We found a bug. And then they don't tell the guys where it is. So it stresses the other guys out and they're running through all their code. They go, okay, it's here somewhere, but we have no clue where.
00:11:35
riptide
And I just thought that was an interesting approach to do it. Hey, look, yeah, we got a big one. We're not going to say shit on where it is though. ah But then I've also seen like, um I mentioned this a lot, but I like Hexton's model that just how they flex it in their audit reports, because I think they do a great job and they do like one team reviews it and then, okay, look, we're done. And then the other team does the audit again and they say, okay, look, you know, we found XYZ or confirmed there's no findings.
00:12:06
windhustler
Oh really I didn't know that so they don't go in parallel so one team goes after after the other
00:12:13
riptide
From what I could tell from the Hexson audit report, yeah, they make it clear like they have this little, this system there where it's like, okay, team A reviews it, they do the audit, then team B does the same audit. I think that's how it goes.
00:12:25
windhustler
Okay, that's interesting I mean you're giving me some new some new
00:12:29
riptide
ah
00:12:30
windhustler
Some new ideas, but actually Guardian does like competing teams ah and then you you have like one ah one person that's that's like supervising the audit and then you have competing teams. So they have like five people ah allocated in each audit.
00:12:50
windhustler
and that scenario that is described before ah so this like supervisor if team A has found found like a critical bug then he'll be like telling the team B you know team A has found the critical bug you you should you know get your shit together
00:13:07
riptide
Yeah, yeah.
00:13:08
windhustler
yeah yeah
00:13:09
riptide
That's pretty cool. Well, so how do you, this is interesting. I think about, I talk about a lot incentives, right? And why I'm drawn to bounty hunting. I like the incentive of possibly making a lot of money finding a bug.
00:13:24
riptide
And that's why I didn't like doing auditing. You you can make a lot of money right now during doing auditing. If you're good, 20 grand a week is crazy cash, right? But if you work for somebody, and I know why you created your own firm, you have your own your own aspirations, it's not easy, but you take more revenue to share home, which is which is fair.
00:13:44
riptide
But for guys that work with you, like guys that you hire auditors, Do you have like um any thoughts on how you like, how did they look at employment? but Do they say, well, we just love finding bugs and we're happy to take our standard pay. Or do you have like an incentive, some sort of program lined up where, Hey, you found this thing that no one else found like unique findings, you're rewarded extra, or is there anything you kind of get out there to kind of incentive these guys to to do their best?
00:14:18
windhustler
I just tried something what you just described where I didn't tell the team before the audit but ah the first part of the audit they were looking for for for bugs it was kind of ah competitive so each each of the researchers was supposed to disclose their bugs after three four days of of audit and then when monday they disclosed I told them ah there's still three more days in the remain you ah remaining in the audit.
00:14:51
windhustler
If you're able to find you know higher or critical, there's this you know side pot and you can earn some extra extra money there. So aside from ah being paid for the audit. So this is something, although this this is never going to be you know some some an enormous amount of money, you know unless it's a really big it's a really big audit if it's you know an audit that is um a month long then than you can earn some decent cash on the side but for these shorter duration audits you know it just you know it's not possible to to allocate a big a very big side pot ah so this is one incentive ah but I think a very big incentive is when people are competing against each other
00:15:31
riptide
Mm-hmm. Mm-hmm.
Freelance Researcher Competition
00:15:45
windhustler
right you know no one wants to be the ah the person that that hasn't found like some critical bugs or you high severity bugs so ah this is a big advantage with the competitive model i mean i've worked a lot with with the competitive model as a freelancer for other groups and you know
00:16:06
riptide
Mm-hmm.
00:16:10
windhustler
You don't want to be the the worst researcher, you know. You want to be someone who missed stuff, so you're going to push push through there.
00:16:21
windhustler
Just, you know, just for the ego's sake and obviously you have a reputation and and you do want to continue ah working, you know, for for multiple. Most freelancers, they want to have more options, right? so So you're not going to lock yourself for a one audit group, but you know, it's best if if you have like more options, right?
00:16:42
riptide
Yeah.
00:16:43
windhustler
If you prove your are worth with you know three, four, five different audit groups, then you know you're always going to get hired again and you have that certainty.
00:16:52
riptide
Yeah, um I'm thinking about from like the employee perspective, because I i talked to some people that had done, because I think a lot of firms, I'm not, maybe there's some, there are a few exceptions, but a lot of firms will say, okay, we did this security audit and they won't put who actually did the audit. They just use their firm's brand name.
00:17:16
riptide
And that is not liked by some of the auditors later on because when they want to move on or show proof of work, they're like, ah, you know, I was on this audit, but their name's not on there.
00:17:29
riptide
So I don't know how you're how you're rolling with that. So that's like one thing I was thinking about. And the other thing was like, about doing the competitive act aspect, right?
00:17:41
riptide
if So your name, right? You're, know, Wendelsler's running his Budasek and he's running this. And obviously you're the you're the proprietor, right?
00:17:53
riptide
You care the most about your company's findings versus any other firm. When you're all auditing the same protocol, you're like, hell yeah, we better get the most the best critical findings, this and that.
00:18:05
riptide
But I'm just wondering like, If, if it would align your guys more, if they had their names and I don't know if you put them on the report or not, but like if their names were on the report, like they share in that kind of, uh, you know, the podium on top of you guys are the best. I don't know if you're doing that or not, or what you think.
00:18:25
windhustler
So we we do put the researchers on the on the report, you know, to to give them maybe a bigger sense of of ownership, you know, just having this feeling that, you know, you're not just, you know, some some guy behind, you know, that no one knows about, but, you know, ah you're you're there.
00:18:31
riptide
Oh, cool.
00:18:48
windhustler
ah But on the other hand, I do understand, I mean, ah i don't know what, what these other firms are are saying, you know, what's the reason that they're not putting the auditor names, but ah I'm guessing they're not putting them ah to...
00:19:09
windhustler
they don't want They don't want, you know, the compet the their competitors, like other auditing firms, to know who's doing the audits. So they'll' they'll push them, right?
00:19:18
riptide
you'll poach him perhaps yeah
00:19:22
windhustler
ah that's the main issue i mean um i know partial and i i don't put him on the on the spotlight or anything i know previously he was putting auditor auditor names on the reports now now he's not doing it there were some discussion around that on on twitter he said that uh i remember i was reading through through the post he was saying like it doesn't provide any any value to the clients which is which is true But I do think that a lot his auditors, you know, got employed in Sertora. that They got employed elsewhere.
00:19:57
riptide
Mm-hmm.
00:19:57
windhustler
and And they went through lot of audits with him. So I suppose they were really good. He liked working with them. They had very good performance. But now they're working for Sertora, for, you know, other auditing groups.
00:20:12
windhustler
So he probably said, you know, fuck fuck this, you know.
00:20:18
riptide
Actually, the the true story is that Pashov actually, he does all the audits himself. He's superhuman and he he does this while driving in his Lamborghini.
00:20:25
windhustler
Yeah.
00:20:28
riptide
He's actually, ah he's an incredible, incredible man. ah No, so here's and here's a solution that could be done, right?
00:20:32
windhustler
yeah
00:20:36
riptide
Okay, it doesn't add value to the clients. Fine, fair enough. But it does add value for your auditors, especially when they're trying to show a repository of work. So how about you have just like people can confirm employment at a company by like a web portal. You can say, hey, give me the request, like the unredacted audit or like which auditors were on this, like have have some place that that they could be verified.
00:21:00
riptide
I think that'd be cool.
00:21:02
windhustler
Yeah, that's cool, but also, I mean, I don't see a big problem if, um obviously, someone else cannot verify that, but if you just have the report, right, without without your name, you can just send that as a reference, and then if this person was wants to check, then he can do all all the, elder I mean, this is usually, this is usually enough.
00:21:21
riptide
Yeah, yeah, no, very true.
00:21:27
windhustler
um But I mean, the the fight for for for you know SR talent is is real.
Challenges in Talent Acquisition
00:21:34
windhustler
it's It's there. I mean, I don't know what your opinion on this is, but you remember the exclusivity with Cantina, you know.
00:21:42
riptide
Mm-hmm, yep.
00:21:43
windhustler
and and And there was, you know, ah a lot of, you know, when Cantina announced this, there there's a lot of reactions from Immunify, from Sherlock, from others. So obviously this this matters.
00:21:55
windhustler
um There are a lot of researchers, but there aren't, you know, that many researchers that are really top class. ah So, I guess kind of everyone's fighting for for them.
00:22:09
windhustler
And then, obviously, you have newcomers that are really good, but some of them are still undiscovered. So, I'm also trying to figure out, you know, ah what newcomer is.
00:22:17
riptide
Mm-hmm.
00:22:22
windhustler
It's going to be the next beast, you know, the next... I don't know, Simao ah so so some of these guys that that are really talented. so that's
00:22:32
riptide
there's There's a counterpoint to that, too, because something that hasn't been studied yet is like you have athletes, right? And you you pick certain athletes, they have their draft, and this guy's really good. Okay, we got him.
00:22:46
riptide
ah You have all these stats for the athletes. You've seen them play. You know their age. you like They're a very public figure. auditors, you really don't know who they are. They're hiding beyond a PFP. You don't know their age. You don't know their family situation. You don't know their life. You have no idea.
00:23:03
riptide
But if they're top of their game and you hire them, ah And this has happened. this This is talked about quite a bit. Some guys just ride the brand until it dies, right? They ride their name and they say check in but they're done. Like they've made enough money and they don't really care as much. They lost that hunger.
00:23:23
riptide
And I don't know how to gauge that like, You could see how dialed in the guy is, I guess, to the industry and, you know, see if he's still participating and and see if he still has that drive and hunger. But I definitely wouldn't want to pick a guy for top dollar and and employ him and then just be disappointed because the guys that are hungry, that are smart, that haven't been discovered yet.
00:23:47
riptide
I mean, those, those are the guys I think everyone's trying to get, to be honest.
00:23:52
windhustler
Yeah, true, true, of course.
00:23:53
riptide
that That have showed results.
00:23:56
windhustler
Yeah, yeah, that's that's very true. um
00:24:01
riptide
Because look at the exclusive deals that were done with Cantina.
00:24:01
windhustler
I mean...
00:24:04
riptide
some of I won't name names, but some of those guys, like I think they peaked. I think they peaked already. They got enough money and they're like, okay, I don't really want to do this now.
00:24:13
windhustler
Yeah, yeah, I mean, that there's there's also a bit that. um But this is also one reason why why you put multiple people on an audit.
00:24:24
riptide
Mm-hmm.
00:24:25
windhustler
um I mean, it's the same with with employees, right? If you're Hexans or, you know, name name and any other company. Everyone can have a bad week, a bad internet, you know, one one one week, you know, or...
00:24:38
riptide
Mm-hmm.
00:24:42
windhustler
Or just you don't sleep good. Or or maybe you've totally lost the the motivation. Maybe you're thinking I'm doing something else. And you accepted that last last deal. And now you're working for me.
00:24:53
windhustler
So again. That that happens to to everyone. So it's. I think this is kind of unavoidable. ah It's just. you know It's just the reality.
00:25:06
windhustler
But then you you try to put like. Two, three, four people. At least. So. ah you have that kind of manpower, just to be certain there.
00:25:15
riptide
And how are you getting guys anyway? Like, like what's your recruiting strategy? what What have you seen being successful? Because ah ah let's yeah the current job market depends on the country you're in, but it it seems like the economy is pretty shit.
00:25:28
riptide
And Web3 security is an interesting kind of zone to be in. It can either be highly lucrative or you you're not making any money at all.
00:25:39
riptide
So I'm wondering like where you're finding your talent at and how you've kind of approached from the hiring perspective.
00:25:47
windhustler
so we actually don't have anyone who's like employed you know uh full-time uh but there are a few guys that uh that usually work on almost on every uh every engagement uh locally uh hearing in i'm from croatia uh no one is into web free security uh know uh it's it's it's, you know, it's it's very hard to find people locally, but actually, what one more i mean, there's only a few people, ah one of the guys works constantly on our audits, he's actually like one kilometer from, you know, my place here in Zagreb, Croatia.
00:26:34
windhustler
ah He's very experienced, he works in Arbitrum as, you know, a solidity developer, but he has like 15 years of, you know, Software development experience and you know he's been doing research for the past like two years so ah he He is one of the the researchers I frequently put ah There are also like a few juniors Here from Croatia that that I'm trying to ah get into the the business Other than that I mostly work with you know ah researchers from all over the world who you know ah
00:27:13
windhustler
have either worked for for some you know web free security firm or they have really good you know competitive audit results so in in this way of we're similar to you know Pasho or these other ah groups so so we kind of hire from the same a talent pot as far as finding the right person maybe this is alpha but
00:27:25
riptide
Mm-hmm.
00:27:36
windhustler
hu i I personally worked with a lot of people, right? I just mentioned I worked for Zenit, you know, Spearbit, and so on.
00:27:47
windhustler
So if I trust, so so so if I worked with an engagement with with someone, I really trust trust him, then i will either, you know, I can assess that that person is good, it's hardworking, and so on. So I'll either work with that people but but with that person, or I will ask him to to recommend me.
00:28:09
windhustler
people that he has worked with I just ask him you know give me the best researchers that you have worked with and and then and then you see ah you know same names popping from different researchers and then you probably know that this person is is good right so yeah so that's one just heuristic you know um
00:28:31
riptide
Yeah, yeah.
00:28:37
windhustler
I also just look at generally what what the person has has done. and know a how also do care how how someone communicates. and
00:28:50
windhustler
i just Sometimes it's also intuition. I just do not think i just you know kind of feel that someone might be might be good. so So I just try to put him on some engagement and see
Opportunities for New Researchers
00:29:02
windhustler
see how it works.
00:29:02
riptide
So what do what do you value the most? If you got a guy that says, oh man, I got to get some cash here and I won't really want to work for Wind Hustler because he's incredibly based and this guy's coming up to you and he's got like, maybe he placed like top 10 on some contests and he hasn't had like a formal Web3 job, but you know you could see he's kind of, he's dedicated, like he's always posting, he's learning this and that. Do you have a,
00:29:31
riptide
Is there like a junior role? Do you have ah anywhere? And I know you're a young firm, right? But do you have somewhere where maybe new guys could could kind of build up at your company at like um a very junior role to to learn from the best?
00:29:45
windhustler
so it' usually So, what you've described for for these ah for for this scenario, I usually try to put this person on like trial audits. So, he's going to get paid, but probably not not like a typical and know not not like a typical researcher. So then I just assess assess from from there.
00:30:09
windhustler
We don't have a formal process, right? where we're We're a very young agency also. um The bottleneck with the agency right now is not, you know, researchers.
00:30:21
windhustler
There is enough skilled ah researchers. The bottleneck ah is is still the clients, right? So we we do have like four or five very good clients that, you know, keep on ah coming back and use our services.
00:30:27
riptide
Mm-hmm.
00:30:37
windhustler
ah But you know, with audits, that's probably not enough to to be constantly you know booked with with you know several audits running at the at the same time.
00:30:47
windhustler
So yeah, just trying to scale that that part. I'm just looking to kind have maybe like 20, 30. Okay, i maybe that's a bit longer term, but if we would have like 15 to 20 projects that constantly you know work work with us,
00:31:07
windhustler
that would that would be enough to to keep us early ah really booked. right
00:31:12
riptide
o do you Do you feel this business is really like, because it's it's a good question on like, how do you compete in the market?
00:31:13
windhustler
so so
00:31:22
riptide
Do you compete on quality?
Agency's Competitive Strategies
00:31:25
riptide
Do you compete on price? um Or is it kind of a mix of both? And it becomes more like a relationship business, like any sales type business, um because the way you communicate with clients, your feedback, feedback, everything like that. How do you view it?
00:31:43
windhustler
yeah it's a it's a mix of of everything um i would say we currently ah definitely compete with the price especially with you know ah some more established options out there ah so that's one kind of ah you know advantage then ah we do try to focus a bit more on this on these like in interoperability protocols you know layer 0 wormholes some of these others so so we we we did a lot of audits of of this type so so this is our you know competitive advantage
00:32:13
riptide
Mm. Mm-hmm.
00:32:25
riptide
I like that right there, like what you're doing, because I wanted to see if you'd say that and you did like that is so smart. I think to focus like, look, we could do everything and we will. However, like this is our specialty because we know you're the king of layer zero, right?
00:32:40
riptide
So you're doing this like total interoperability focus, which I think is a really good business move. Just just focusing on that and showing like this is our core skill set.
00:32:51
windhustler
yeah yeah uh i that that was also kind of the the vision uh to focus really on you know um actually the focus was like uh my thesis was uh that these external integrations offer often get over missed and uh you know it's are under looked right if if you have like a 2000 lines of code audit if it has a bunch of
00:33:14
riptide
Absolutely.
00:33:19
windhustler
ah external integrations usually you're not scoping it you know to have a sufficient time to cover all all this external code unless you know the researchers that are allocated on the audit have a lot of experience with those external integrations so that's that's where we try to uh offer value to to projects so so if it's uh for example lefi is uh is one of our clients we we do a lot of pr uh reviews with them since then they constantly uh push you know you know new new codes ah to production and they're constantly they're like a you know bridge and dex aggregator so they're constantly integrating new new bridges so when they integrate a new bridge we'll check it out but you know ah most of these bridges work work in a similar way there are often some kind of bugs that are repeating there so that gives us you know the advantage compared to someone who's never audited a bridge you know checking it out
00:33:49
riptide
Mm-hmm.
Advice for New Security Firms
00:34:30
riptide
Mm-hmm.
00:34:30
windhustler
ah that being said ah I think a better ah ah better special you know if someone wants to open a firm tomorrow ah I think the design the design space you know in cross-chain protocols is you know there's some room for for errors there you know for for bugs there also the the apps you know the the protocol itself got gets a bit you know more complex when it's when it's cross-chain but uh i think like opening an auditing firm and focusing perhaps you know just on defy in general like lending borrowing you know perpetuals and so on the design space is is much bigger there and these audits are you know longer than they can be quite quite hard you know you've seen with year and balancer right you know you
00:35:10
riptide
Mm-hmm. Mm-hmm.
00:35:29
windhustler
there's a million things that can go wrong if you have some complex math you know there's a bunch of numerical bugs that can occur or some you know economic exploits and and so on ah so just just my you know to just my piece of advice if someone is focusing on something ah I think the most work is there's the most work with DeFi with DeFi apps definitely
00:35:55
riptide
Yeah. Yeah. I wonder if like, yeah, someone opens up a, we're the AMM audit shop and all they do is like AMMs only. I think there's some value to that because they really just focus on that niche and that that corner of the market.
00:36:11
riptide
Because I wonder if, because like if you audit, right, you look at bugs and we look at every every possible bug, it's all just logic and in a certain sense until you reach a certain level of math.
00:36:26
riptide
And the math, let's just look at the why ETH type thing. um The balancer thing, I guess I'd bundle that into that as well, where it's, you really have to be taking a very close eye at the math.
00:36:40
riptide
And um I've done it before where I've seen some math and contracts. I'm just like, ah I'll just assume that's good. You know, i look at some easier code, right?
00:36:48
windhustler
Yeah.
00:36:50
riptide
It's so easy to do or I'll get back to it. And now we have LLMs where we can talk to it and work through the math. It doesn't mean they're going to find it, but it's it makes it more approachable for more people to look at it because a lot of people don't like math. And some people will dive right into that shit. And I think you need those guys. Like if you had...
00:37:11
riptide
I don't know what you'd call them, like the quant audit firm, like some hardcore math, like they're going to be like ah Michael from Curve or something. You need those guys in there to audit the math of these big brains.
00:37:23
riptide
And that's all they do. Like no other bugs. Just bring us in to check out that and like a limited scope that those functions, those math functions touch. We'll look at that. And then you kind of, well we'll give you our assessment and then you go around outside of that.
00:37:37
riptide
Do you think that would be, ah what do you think? You think that'd be a successful audit shop that could do that?
00:37:44
windhustler
it would be very successful but actually that's one of my plans like long-term plans um there's a lot of like there's a lot like very talented know students that study you know math or you know computer science here in Croatia so I would I'll try to kind of cherry pick the best the past you know the best people from the faculty, bring them as as internships and try to grow them through a company to to focus on the things that that you were just mentioning.
00:38:23
riptide
Yeah.
00:38:23
windhustler
I think if someone is, I mean, we've seen it in in the example of of Bulgaria. And Bulgarians, there's a bunch of like 17 or 18 19 year year olds that, you know are really good are really good in this stuff ah and it's you know um I think theres there's talent like this definitely in in other countries just have you know just i don't know some stars have aligned in in Bulgaria that a lot of people have heard about Web3 security and you know just just are grinding grinding to it through it but yeah
00:38:38
riptide
yeah
00:39:05
windhustler
I would kind of assemble this this crazy team, like guys that that just you know rock with Matt and then they would... you know ah I think this is a really good setup.
00:39:19
windhustler
that that's That's maybe long long term. The problem, you know when you start with someone, you need to train him and so on. So so it takes it takes a bit of time.
00:39:30
riptide
So how do you balance, do because you are you still doing stuff with Sherlock and Spearbit as well?
00:39:37
windhustler
So i actually haven't done anything with with Sherlock, I don't know, maybe maybe for for about a year. But I do occasional audits with Spearbit and Zenith.
00:39:52
windhustler
But that's moving, you know, in 2026 I'll place, you know, 100% focus on Buda security.
00:40:03
windhustler
I'm also planning some rebrand in terms of you know visuals maybe maybe I'll even change the name so I'll probably just but be focusing on that 100% I started the firm back in May and to be honest I just you know woke up one day I had this in mind I want to start something I want to start something but I just woke up one day okay let's let's just do something let's just figure out some name you know
00:40:30
riptide
That's the way to do it. Yeah.
00:40:32
windhustler
just just make a website and think this is the best way because initially ah I was thinking like no way I'm going to get clients there's so much you know competition there there's so many but you know just just with time people start reaching out you get recommended by someone and then you know poof six months you have four or five very good clients so I think if you zoom this out to like three to five years you can you can build you know ah small empire
00:41:02
riptide
Yeah. Yeah. You, you took the hardest part with any business, just doing it, just, just taking action.
00:41:06
windhustler
yeah
00:41:08
riptide
Yeah. I think there's always demand. It's just like finding that demand and, and actually putting in the work. Uh, I had side a question for you. So, uh, audit firms, everyone does audits. And have you ever thought of saying, we're going to take our brand name and we'll go do, we'll compete for bounties as well to kind of boost your brand recognition.
00:41:33
riptide
Are you man enough to compete for the bounties?
00:41:33
windhustler
Yeah, I mean,
00:41:35
riptide
Mm-hmm.
00:41:38
windhustler
yeah, ah the problem with that is is, you know, we don't have long-term, you know, we don't have employees. We work with with freelancers, so that's that's the initial problem.
00:41:51
windhustler
this This is actually a great idea if you had like 10, let's say you have 10 employees. and then you want to fill fill fill in some gaps in between audits, in between other work and at the end of the day you might want to give your you know employees just some time to you know research, do bounties, research some new new project and and so on.
00:42:16
windhustler
so So I would definitely do do that with with having employees but right now it's it's just not possible and Also, you know, a lot of researchers think that, you know, all clients care is how many bounties you had or how many, you know, competitive audit results you you had, but That's just one part of the picture. Sometimes you get some plan just because you know you were introduced to this person because of sales, because you know ah you have some specialty in something. so Actually, i know a lot of like top guys that don't have that many like private opportunities, but their portfolio is insane. you know
00:43:02
windhustler
They found some you know really, really great bugs and they're not fully booked.
00:43:11
riptide
Yeah, is it's true.
00:43:11
windhustler
so So yeah.
00:43:14
riptide
Yeah, it's <unk>s an interesting job market, an interesting industry that we work in. And I love seeing it kind of evolve, you know, because I'm i'm running ah an AI firm now that we're we're just about to kind of officially launch and uh we're competing with with the human firms and um you know right now it's it's going to be a a layer like we still have this i talk to investors a lot about like what does security look like on the blockchain how do you guys change it and i said basically yeah we're still doing this layered approach that a lot of people talk about because we can't guarantee 100 security nobody's able to do that yet
00:43:56
riptide
I hope we do get there, but right now it's just like, hey, this firm looks at it, we look at it, everyone looks it, we get the automated tool. Like you do everything you can to try to guarantee a great outcome for the client and we're still not there. Like we still have hacks, we still have,
00:44:15
riptide
all these things that we need to fix security wise to really get this, ah to be more comfortable for people to put their money.
DeFi Security Challenges
00:44:26
riptide
Because right now, sometimes I don't think the risk premium um is enough. Like I don't think it reflects the true risk of putting your money in DeFi. ah It's just, it's really hard to gauge that right now. It's a tough metric to come about And I don't know what to tell people when people say, should I invest in DeFi? Should I buy crypto? And um ah they're like, do you use it? And I say, well, kind of. yeah I use like select protocols that I've looked at and, you know, I'm very low risk ah just because of my my traumatized brain of everything I've seen in crypto over the years.
00:45:04
riptide
But what are your takes on this? Like, what do we what do we do here? What's the next step in security? How do we how do we get better? And like, how do you plan to help contribute to it?
00:45:15
windhustler
So I'm actually running this this idea with one of our clients and I'd love to hear your your take on this. So, ah and this is targeting specifically when a project deploys.
00:45:32
windhustler
So right now ah we have what I call them public bug bounties. so you post a bug bounty on on some some platform there's some reward any on one hand anyone can look at your bug bounty but you have zero certainty that someone is actually ah looking at your bug bounty so this is this kind of the the the first problem so zero certainty that someone is looking the same thing with with you know competitions but you know just ah like like
00:45:57
riptide
Mm-hmm.
00:46:08
windhustler
game game theoretical we we can assume that okay maybe someone is you know but probably someone is looking at your bug bounty this this is kind of the first first problem I see the second problem is ah I don't know if anyone if any bug bug hunters actually collaborate you know if it's if it's ever a team of of a few people ah I don't know do you know such instances
00:46:37
riptide
does It does happen. It's not that common, but I have been in some groups where we've we've discussed some bugs, but usually it's an independent role. Mm-hmm.
00:46:46
windhustler
Yeah, yeah. So it's rare, right? ah When people collaborate, the productivity is better. ah You can bounce off ideas. So this is just a better mode mode of working.
00:46:59
windhustler
Then also, not to get too much into this, but you know there's problem with payouts, with severity, determining, and so on.
00:47:05
riptide
Mm-hmm.
00:47:07
windhustler
Everyone knows about this. On the other hand, you have black hats that...
00:47:11
riptide
Mm-hmm.
00:47:13
windhustler
I think a bigger percentage of them, especially state-sponsored, they always work in in groups, right? It's, you know, five people in some a government room in in North Korea, you know, spending 12 hours a day trying to to figure out the math, figure out a way to exploit, and so on. So there are more they're probably more productive than than some, you know white hat, you know, in his apartment.
White Hat Collaboration Proposal
00:47:43
windhustler
arguing on you know Immunify ah whether he's going to get rewarded or not
00:47:49
riptide
Yeah. Yeah. Big problem. Huge problem there.
00:47:52
windhustler
big problem big problem obviously not to mention you know if a project you know we've seen it right now if a project has been on on Immunify or elsewhere for a few years ah there's a very low chance that anyone really competent is going to look at it because the return on investment is is small right So I've just laid out all of these issues and I think everyone is kind of aware these issues exist.
00:48:13
riptide
Yeah.
00:48:20
windhustler
ah My opinion is if so I'm just talking about this stage specifically obviously lot can be done during during development you know AI reviews and so on but when you deploy i think you need to have a way of mimicking what black hats do so you would have to have at least one person but probably like two three people in a team trying to exploit your your project so once you deploy they they literally try try to exploit it now the only question is how to get the most talented people so this is this doesn't cost you know millions or or whatever and how can they they actually do this so how to actually align incentives
00:48:53
riptide
Mm-hmm.
00:49:08
windhustler
um i think this is this is a model that ah that we'll see in the future i think some big protocols probably have maybe they call them like internal ah researcher teams but you know i would literally have two three guys that try to exploit you know but they're white hats right that you know once you deploy maybe they don't work on that full-time you know but They work ah they kind of work work periodically ah in in in some smaller sprints, but they literally try to exploit it you know in in real time.
00:49:47
riptide
Yeah, now yes is it's a good model.
00:49:47
windhustler
i think this this yeahp
00:49:51
riptide
I've actually sold this with success to clients before offering like a targeted bounty hunt, a security review. So once they all their audits are done and they're just live, I'm like, hey call me up and let me just do a targeted bounty hunt. And I kind of explained the same thing. I was like, you put the bounty out there, you don't know who's looking at it, blah, blah, blah. It's like, Hey, and and I give them a discount too. So going to put your bounty up for half a mil,
00:50:19
riptide
if for criticals, it's now I'm saying, listen, before you put it out there, let me save you some cash. All right, give me a week and I'll do a targeted bounty hunt on your protocol. And we'll we'll level like incentivize criticals at whatever it is, you know, 15 grand a critical, you know, keep it reasonable for the client while also incentivizing yourself. And that way it's like, you know, here's a base fee just for my time. But then you're only going to pay for highest criticals, only things that that are going to destroy this protocol.
00:50:49
riptide
And every time I've done that, it's been a successful result. Like we've had, ah the team liked it. I said, if you're really confident in your code, we'll just, you know, do like a a lower base fee, pay me a lower base and then do a higher incentivized bug payment.
00:51:06
riptide
But if you're not that confident, I'll take a higher base and then a lower, you know, incentivized high critical fund. And it's worked out pretty well, man. I think clients like that, it gives them immediate feedback and it's like a pre-bug bounty run.
00:51:19
riptide
that can save them money before they actually go to the bug bounty market
00:51:24
windhustler
Yeah, definitely. I mean, why why do you think this is not done more often? why ah like Like, what's your what's your opinion?
00:51:36
riptide
well who's going to do it i mean the audit firms they want to do they stage it as an audit right it's an audit product it's easy to to sell that to many clients And I think you gotta have a certain brand and you gotta have a certain knack for finding these these different kind of bugs. I don't know how to explain it. Honestly, it's very difficult, but like bounty hunter could get business doing this as I've done so by just offering a targeted bounty hunt. If you're good,
00:52:04
riptide
ah you should be able to find something. And it's, I think it's a different mindset, man. I just think auditors look at code and there's so many different things they're also dealing with.
00:52:15
riptide
You know, they're back and forth with the client, the client, they have to recommend changes. They have to audit those changes. ah There's a lot of discourse. ah And the bounty hunter is just like, I don't care about any of this. I don't care about your rules. I don't care about your scope.
00:52:30
riptide
I don't care about anything. I'm just going to try to find a way to break a code. And I think there's something core there that auditors just just do differently than bounty hunters.
00:52:40
windhustler
Yeah, i mean, I definitely don't disagree there.
Auditing vs. Bounty Hunting
00:52:43
windhustler
i always say I i just really, I had some like post on X maybe a few days ago when I was saying like auditing, you know, prior to audit it is line by line.
00:52:56
windhustler
And then, you know, and contract by contract. And then in the end, if you have enough time, you you will try to look at the system as as a whole. If it's like 5,000 lines of code,
00:53:06
riptide
Yeah.
00:53:09
windhustler
ah you you probably didn't check all the complex scenarios no no way you checked everything if it's you know if it's even bigger 10,000 no you know no freaking way you unless you had like three months to to check it there's just usually there just isn't enough time and obviously you you know you communicate with the clients or recommendations info low issue you you log maybe 30 40 issues you know and so on while bug hunters yeah completely different you from from the start you you just look for that complexity you know ah it's it's very different but I'm just and interested ah so why do you think like Immunify doesn't offer something
00:53:55
windhustler
Like this they have lot of clients they have lot of clients with deep pockets. Why don't they say? to To client a that has five million dollars bug bounty.
00:54:05
windhustler
Okay, we'll get you someone You know two white hats from I don't know top 20 top 30 on a mini file that they will be specifically assigned to your project
00:54:17
riptide
Yeah, it's that's a good question. And I don't know if they don't do that, like with their all-stars and stuff like that they're talking about. I mean, I think Mitch should do
Importance of Security Investment
00:54:28
riptide
that. It seems like a great idea. I mean, it's another another product line you could sell a targeted bounty hunt and protocols would probably go for it and and researchers would like it too because...
00:54:38
riptide
These guys, like if if you're in the crypto game, and you run a protocol and you don't think security is number one, you're fucking crazy. Your whole ship can go down like that.
00:54:49
riptide
If you don't understand that, get out because you don't deserve a spot in this industry. So guys that that know what's up, they love having guys look at their code.
00:55:01
riptide
And anyone that dismisses people like like, I have plenty of Telegram channels where I just, like I have the layer zero guys right now that I just sent like a finding to them. And I was like, hey, you know, maybe this is a low or something. You want to take a look?
00:55:14
riptide
and then oh no we have some some protections on the side for it okay cool just like that like i have a relationship with a bunch of teams where i'm not like hey you know you got to pay me for this you know it's just like having those connections uh are built upon mutual trust knowing that the team is looking out for the protocol they respect security researchers and on the same side srs are like hey look You know, we respect the team, want to secure the protocol. We also want to make a living, but we're not going waste your time with some bullshit.
00:55:44
riptide
So like having that mutual thing versus, you know, when you come across a project that is run by assholes, that you give a valid critical bug, as has happened been many, many times for many people, and they just come up with a million reasons or just flake on you. I mean, you know, that that's kind of the disconnect there.
00:56:05
windhustler
Yeah, i mean, I agree. And unfortunately, I mean, you said a difference between good and bad security is that you can literally sink, right? You can get rain. it's it's It's game over for you.
00:56:18
windhustler
But some people, I don't know, some some you know projects, project founders, whatnot, they just don't care. I've even heard, like, I've been talking with this one researcher. He he told me that, you know,
00:56:34
windhustler
ah some projects that they just say security is is not generating revenue so we're not going to invest any significant money in it literally literally like literally literally like that so it's not generating revenue we don't care you know if something happens well obviously they do some you know they do invest something but it's it's probably some something minimal like one audit
00:56:46
riptide
Oh, geez.
00:56:52
riptide
Yeah.
00:56:59
riptide
Take your money out. That's all I'll say. Take your funds out of that. Do not vote with your dollar as an investor to that protocol.
00:57:07
windhustler
yeah yeah it's uh it's crazy it's crazy uh but again developing on on the blockchain is is so expensive right yeah it's it's it's so much expensive than you know just building some web tool know app or you know mobile application or whatever uh
00:57:29
riptide
Absolutely. Yeah. it's It's a wild space we live in, man. A wild space.
Conclusion and Farewell
00:57:34
riptide
um And I'm going to cap it since we are at an hour, Mr. Wind Hustler. It was fantastic having you on the pod.
00:57:42
riptide
ah Thank you very much for joining. And we will see you all next time on the blockchain.