A Typical Day as a Trail of Bits Engineer-Consultant

by Nick Selby on June 30, 2022

Wherever you are in the world, a typical day as a Trail of Bits Engineer-Consultant means easing into your work.

Here’s a short video showing some of our European colleagues describing a typical day as a Trail of Bits Engineer-Consultant.

You generally set your own hours, to provide at least a couple of hours of overlap with colleagues around the world) by checking messages or comments received since you last checked in, and thinking about any requests for collaborative help. Then, depending on whether you’re on an audit or on non-client “bench-time”, your day could mean diving into code, or working on internal research and development, continuing education, or personal projects, etc.

Remote-First

One thing to know about Trail of Bits is that we have always been, and always will be, a remote-first company — “remote” isn’t a skill we added for the pandemic. That means that we are global in nature, and asynchronous by design. We’ve fostered a collegial atmosphere, one with close, intimate collaboration among colleagues.

Sponsorships Available

Those of us who work here wouldn’t have it any other way.

At its heart, the art of asynchronous collaboration is about understanding the work, understanding our tasks, and asking clear questions that request actionable replies from our expert coworkers. It works. We believe that, according to the criteria described in “The Five Levels of Remote Work”, we are somewhere between levels four and five.

For example, we consider carefully when we need face-to-face meetings, to avoid the “this-meeting-could-have-been-handled-in-a-Slack-conversation” problem that plagues a lot of companies. When we do meet face-to-face, we use Google Meet; the meetings all have a written agenda, are recorded, and have notes taken and distributed to all attendees.

We have a minimal reliance on email for internal conversations, preferring the more secure and archived Slack as the primary chat and discussion forum. We strongly recommend that Slack is used with Notifications Off. We also do not require Slack to be installed on your mobile phone – in fact we suggest that you don’t – so you’re not tempted or compelled to check Slack during your time off (also, all personal mobile devices are required to run MDM if they handle any work data). Each project – whether formal or ad-hoc – has a dedicated Slack channel. Slack communications are written with the expectation that people have limited time, hence our focus on well-considered (and considerate) messages that come quickly to the point and make actionable requests for collaboration.

We use Trello and GitHub to visually collaborate on projects, Nifty to manage projects, and a range of other purpose-built tools to reduce toil and encourage meaningful collaboration without getting all up in your grill.

Work Hours and Work-Life Balance

We expect you to maintain a good, healthy, and enjoyable balance between your personal time and work time — see that example above: we don’t want you using Slack as you lie in bed! Since you already have a desk in your house, wait until you get to your desk to turn on Slack and start work. You’ll find that we’re quite insistent that you turn off during your time off — recharge, refresh, and hit the ground running when you are back.

To that end, we have generous programs to set yourself up at home, like a $1,000 stipend to set up your home office, a $500 a year personal learning and development budget, a co-working space option, 20 days of paid time off and 15 company holidays per year, and more. See this page for more information.

Set Your Hours: A Typical Day

We are a results-oriented company, and we are less concerned with when you work than with the impact your work has on the company. So a typical day can look like this:

Morning (9am-noon)

We recommend certain practices to begin your day, to draw a distinction between home-life and work. For example, we recommend establishing a commute even if you work in your own home. You can pull up recordings of any meetings from earlier in the week, read some messages a colleague left you overnight, and check for next-best priorities on Github Issues. You meet on Google Meet for a quick standup and see how things are going. You can see it on their face as clear as day — everyone at Trail of Bits has high-end audio/video equipment — they’re excited about a monster new attack surface they found yesterday.

Afternoon (noon-3pm)

Maybe you’d visited a doctor in the beginning of the week, so today you’re working a couple of extra hours to time-shift. You’ve got a lunchtime invite to attend a lunch-and-learn, find it on the company-wide team meetings calendar and pop in. One of our Team Leads is reviewing an academic paper on such and such, and Sam Moelius is absolutely destroying him with extremely simple and polite questions. You file an issue you discovered by hand this morning into Github Issues. Document a few more security properties, these will be great for our fuzzer later this afternoon. It’s easy to focus because you followed the company-recommended advice to disable all but the most essential Slack notifications. But since your collaborator is a few timezones ahead, you pop out to run an errand before the stores close.

Evening (3-7pm)

You take a walk outside for coffee (“stupid little mental health walk”). Exercise and sun are good for the mind. Those properties you found this morning could result in excellent bugs if they break the project. You spend the rest of the evening writing them up into dylint/echidna/libFuzzer … whatever. You login to your dev machine over Tailscale/locally in VM/on DigitalOcean, and start a batch fuzzer job that will complete in the morning. You write a brief note on Slack to let your coworker know where things are and that you’re signing off for the night. You close the lid on your laptop, and you don’t have Slack installed on your phone. Time to raid a dungeon in Elden Ring!

Next week, you have IRAD planned to take the lessons learned from this project and incorporate them into the company’s new Automated Testing Handbook.