Comment on page
How to Write and Submit a Finding
At CodeHawks, ensuring a streamlined and standardized process for reporting vulnerabilities is of utmost importance. This ensures your submissions are explained with clarity, facilitates fair judging, and results in a safer blockchain ecosystem.
All finding submissions are handled directly through the CodeHawks web platform to ensure a simple and streamlined process.
When documenting a finding, adhere to the following structure:
## Summary
(Provide a brief overview of the vulnerability.)
## Vulnerability Details
(Delve deep and elaborate on the identified issue, including where it exists in the codebase.)
## Impact
(Describe the potential consequences of this vulnerability. How could it harm the protocol or users?)
## Tools Used
(List any tools or software that aided in the identification of the vulnerability.)
## Recommended Mitigation
(Suggest ways to resolve or mitigate the identified vulnerability.)
- Medium or High Severity Findings: Submit individually.
- Low Findings (Low risk or Non-critical): Compile into a single report per auditor or team.
For an in-depth understanding on assessing risk, refer to our how to evaluate a finding severity guide
The responsibility to validate the findings rests with the auditors. A detailed explanation and justification of the potential impact are crucial for a top-quality submission. The depth of the proof required correlates with the potential value of the submission.
An insufficient proof is when a judge needs to invest additional time in research or coding to verify the claims made in the submission. It's highly recommended to provide a coded proof of concept (POC) for your findings. This aids the judges immensely in verifying your claims swiftly and accurately.
Submissions deemed to lack sufficient evidence may risk invalidation.