How does the auditing process looks like?

CodeHawks ensures the security of the protocols and teams we assist through an innovative process of private and community code reviews.

To learn more about how the competitive audit works from an auditor perspective, check out auditors.

Ensuring the security of protocols and their users it's our top priority, making the process for developers and protocol's teams as smooth as possible, is our second:

In this page you'll learn how your journey to securing your code base will look like and what you'll need to ensure full coverage of your protocol.

Here's how our auditing process looks like:

1. Request an audit

Request an audit by going to codehawks.com and submitting the "Request an Audit" form under “Request Audit” - you can schedule an audit with at least 3 days' notice.

Our team will get back to your within two days to organise a screening call and assess the properties of your project and code base.

2. Screening interview and code base assesment

The CodeHawks team will reach out to you to discuss your audit scope, expected timeline, and requirements necessary to initiate an audit. Additionally, they will provide recommendations on the ideal auditing path to take.

Check out our guidelines for more information on what is required to start an audit.

3. Pricing and timelines

The CodeHawks team will conduct an initial assessment of your code base and project, and provides you with a quote based on the length of time required for the audit and its complexity.

You can learn more about pricing and timelines on our guide.

4. Code Freeze

At least, 2 days before the audit starts, protocol's teams are required to send CodeHawks the final:

• commit

• branch

• known issues

• contracts.

After that a code freeze is required to establish a standard - This means that everyone will be looking at the same code for the entire duration of the audit.

Please note that this includes your own repository as a pull request can leak alpha information to our community.

Take a look at the Preparing for an Audit guide to learn more on what you'll need to get the auditing started

5. Audit Begins

In case of an auditing comeptition, we ask for a member(s) of your engineering team to be available on the CodeHawks Discord server in order to answer Auditors questions via the dedicated channel.

Each member will be given a special "sponsor" role to make sure you're recognisable.

In any case, our community managers will be always available to help you in the process and answer auditors' questions.

6. Judging and Appeal

Immediately after the audit contest ends, the judging phase commences. The duration of the judging contest varies depending on the number of issues submitted. During this phase, security experts thoroughly evaluate the submissions. Once the judging phase is complete, the Appeal period begins. In this stage, security experts have the opportunity to flag any issues they believe were not categorized correctly during the initial judging, seeking a second opinion. To know more about the Appeal period you can refer to this guide.

7. Initial report

A day or so after the appeal period ends, the CodeHawks team, will compile and meticulously organize a curated, de-duplicated list of all High, Medium and low-severity findings for your team. This compilation will enable your team to effectively prioritize and address these critical vulnerabilities

Note: The following steps are only present in protocols opting in for Competitive reviews or Private Audits.

8. Mitigation phase - Fix the code

First, our teams will agree on a suitable time frame to tackle these issues.

Once we've set the time, your team can start implementing the necessary fixes in your code base. It's crucial to ensure that these vulnerabilities are addressed promptly and effectively to enhance the security of your systems.

Additionally, you may opt for a Mitigation Review Contest, following your initial audit to verify your implementations. These are much faster than the initial audit phase!

Through these steps, you'll be sure to strengthen your code and safeguard your applications against potential threats.

9. Final report

Post-fix review, our team will meticulously review your code once more to compile a detailed final report, ensuring all the fixes have been implements and your code is ready to be shipped.