Human Signal Index

Security Awareness

Stay safe while you do the work.

Short, practical guidance for testers, researchers, and analysts. Most incidents start with a small mistake — these habits prevent the common ones.

Phishing

• Check the sender address, not just the display name.
• Hover over links before clicking; watch for look-alike domains.
• We will never ask for your password by email.
• When in doubt, open the site yourself instead of clicking a link.

Social engineering

• Be wary of urgency, secrecy, or pressure to bypass a process.
• Verify unusual requests through a second, known channel.
• No one on our team needs your login to help you.

Multi-factor authentication

• Turn on MFA wherever it is offered.
• Prefer an authenticator app or hardware key over SMS.
• Keep backup codes somewhere safe and offline.

Passwords

• Use a long, unique passphrase for each account.
• Use a password manager so you do not have to remember them.
• Change a password immediately if you suspect it leaked.

Protecting your account

• Sign out on shared devices.
• Review active sessions and revoke ones you do not recognize.
• Report anything that looks off — better a false alarm than a missed breach.

Handling data

• Share information only with people who need it.
• Do not paste sensitive data into tools you do not control.
• Delete what you no longer need.

Protecting sources

• Strip metadata from files before sharing them.
• Avoid linking a source to identifying details in the same place.
• Use our confidential reporting channel for sensitive material.

Operational security

• Keep your devices and browser up to date.
• Separate personal and research accounts.
• Assume that anything online can be logged — plan accordingly.

Spotted something that looks like an attack on the platform? Report it through responsible disclosure. Need to report misconduct? Use the whistleblower center.