Lead Security Analyst – Cryptographic Protocol Audit

About V-Spot

V-Spot is a London-based cybersecurity research and technology institution. We conduct original security research, build defence technologies, and take on complex security engagements for government and enterprise clients across Europe. Our work spans zero-day research, blockchain security, and applied cryptography — we operate at the sharp end of the field.

The Engagement

We are looking for a Lead Security Analyst to join a specific, time-bound project: an independent security audit of did:webvh v1.0 — the decentralized identity protocol at the core of e-id infrastructure. 

The audit covers four areas:

• Cryptographic analysis of the did:webvh v1.0 specification (SCID derivation, entry hash chains, EdDSA/Ed25519, key lifecycle)
• Security assessment of the integration context (OID4VCI, OID4VP, SD-JWT VC, Trust Registry)
• Source code review of two open-source components: DID-Toolbox (Java) and DID-Resolver (Rust)

• STRIDE-based threat modelling and comparison against the existing threat model

   

What You Need

• 5+ years of hands-on experience in cryptographic security analysis and protocol auditing — not penetration testing of web apps, not cloud hardening. Protocol and cryptography work specifically.
• Real experience reading and auditing cryptographic specifications — finding logical flaws, not just implementation bugs
• Java code review for security — static analysis tools and manual review
• Rust code review for security — unsafe blocks, memory safety, concurrency issues
• Familiarity with decentralized identity standards: DID methods, Verifiable Credentials, W3C stack. Existing knowledge of did:web or did:webvh is a strong plus.
• Experience building STRIDE threat models on real engagements

• Ability to produce structured security reports with CVSS scoring for both technical and non-technical audiences

   

What Would Make You Stand Out

• Prior work on government digital identity systems or PKI infrastructure
• Published research in applied cryptography or protocol security
• Experience with Coordinated Vulnerability Disclosure (CVD) processes
• Knowledge of OID4VCI / OID4VP / SD-JWT ecosystem

Engagement Details

• Type: Contract (project-based)
• Location: Remote, with potential on-site sessions in Switzerland
• Language: English (German is a plus)
• Start: ASAP — timeline is fixed

To Apply

Tell us about a project where you audited a cryptographic protocol or specification — not a pentest, not a SAST scan. What did you analyze, what did you find, how did you report it?