Ctrlk

Complete Audit Cycle

With Complete Audit Cycle, security researchers can earn additional rewards by delivering more comprehensive and ready-to-use solutions to sponsors through fixes and tests.

Complete Audit Cycle leverages researchers' expertise in the projects they secure by:

  • Enabling add-ons like fixes and tests for vulnerability submissions

  • Allowing peer review of fixes by qualified researchers

  • Delivering project-standard code that’s production-ready

  • Creating consistent income paths for long-term contributors

  • Reducing stress in the reward process for dependable contributors

Who Can Submit: Top 20% of researchers ($5,000+ in earnings)

Impact: We're building tools for decentralized secure development in which researchers not only find issues but also fix them.

This feature enriches the overall audit process, making it more valuable to sponsors while rewarding researchers who invest time and skill into making solutions that are thorough and actionable.

How the Complete Audit Cycle Works

To be able to send fixes and tests, a researcher must be among the top 20% on the leaderboard with $5,000+ in earned rewards on Hats. Qualified researchers can:

  1. Claim Fixes and Tests: Following any vulnerability submission marked for enhancement, top contributors can claim the opportunity to provide the fix and/or test.

  2. Submit Complete Solutions: Researchers who claim a fix have 12 hours to submit the complete fix and accompanying test. Fixes must follow the project's code style for quality and consistency.

  3. Earn Rewards: For each complete fix and test, points and rewards are provided. This allows researchers to elevate their earnings by completing solutions that enhance overall security.

Core Fix Requirements:

  • Fully addresses identified vulnerability

  • Matches project's code style and patterns

  • Includes targeted tests covering vulnerability

  • Maintains existing interfaces and performance

  • Changes focused only on vulnerability fix

Core Test Requirements:

  • Demonstrates vulnerability existence pre-fix

  • Verifies fix prevents vulnerability post-fix

  • Covers core edge cases related to vulnerability

  • Uses project's testing framework and patterns

Acceptance Criteria:

  • Fix directly addresses reported vulnerability

  • Tests prove vulnerability is fixed

  • Code follows project standards

  • Changes are minimal and focused

  • Documentation clear and complete

Fix/Test Rejection Valid Only If:

  • Does not fix vulnerability

  • Introduces new security risks

  • Breaks existing functionality

  • Severely impacts performance

  • Fails to follow project standards

Note: Focus is on proving vulnerability fix effectiveness. Additional edge cases may be suggested but cannot be the sole basis for rejection if core vulnerability is properly addressed and tested.

The Point System

To incentivize comprehensive reports, the complete audit cycle will offer a tiered point structure:

  • Extra Points for Fix An additional 10% of the initial report points for an accepted fix (tagged as complete by the sponsor)

  • Extra Points for Test (only if the issue requires a test): An additional 5% of the initial report points for an accepted fix (tagged as complete by the sponsor)

Let's explore an example of how the pointing system works:

In this reference, researchers receive 1 point per Low finding. That means 1 Low Fix will equal 0.1 extra points (10% of low issue points).

Important: Percentages for fixes and tests remain consistent across all competitions, but the number of points and maximum rewards vary depending on the specific vault and competition details.

In cases where a Test isn’t applicable, submitters can check the “Test not applicable” option. Points for completed Tests and fixes are pooled into the total reward for the competition, allowing participants to benefit without additional funding from project sponsors.

PreviousAudit Frame GameNextFOR PROJECTS

Last updated