This is the Spearbit template repository for security reviews.
Create GitHub issues with the finding.md template and use the appropriate severity labels (see below).
-
Inside the
ISSUE_TEMPLATE, change the [PROJECT]: name to the client's name accordingly. -
Please run the
create-labels.pyscript locally when preparing the audit repository to remove Github's default labels and introduce custom ones in order to improve auditors workflow.
-
Leave initial comments / findings on the GitHub pull requests. This can be used to collaboratively discuss among the security review team and the client asynchronously.
-
Once a finding from a pull request review is finalized, it can be converted into a GitHub issue with the following tags:
- Severity: Critical Risk.
- Severity: High Risk.
- Severity: Medium Risk.
- Severity: Low Risk.
- Severity: Gas Optimization.
- Severity: Informational.
- Status: Acknowledged.
- Status: Fixed.
- Status: ReadyForReport.
| Severity level | Impact: High | Impact: Medium | Impact: low |
|---|---|---|---|
| Likelihood:high | Critical | High | Medium |
| Likelihood:medium | High | Medium | Low |
| Likelihood:low | Medium | Low | Low |
-
These issues should then be polished and properly typeset. This task is mainly aimed at non-lead security researchers and apprentices in the project. Please follow the style guidelines.
- Use the report-generator to collect issues into a markdown file to be later compiled into a .pdf via LaTex. This allows the GitHub issues to be a single source of truth.