FAQ Security Reviews

How to access cantina repo?

A core team member must set it up first, then share the link with you. Direct access to cantina repo from SR dashboard not yet supported. A workaround is to:

  • Access it through notifications.

  • Saving the link corresponding to the cantina repo review.

  • If its related to Competitions

I am doing a security review and not a competition. Can the client see my comments and findings?

Yes, but it may be hard to locate comments. When leaving comments, always ping @project so they receive a notification. Note that when a comment is a reply to another comment, all the users that left a comment in the thread will get a notification.

Can i ping fellow SRs?

No. It is not possible to ping the username of the security researchers in your team yet.

Can i communicate natively on a cantina repo?

Chat like functionality is not yet available. You can nevertheless

  • Communicate via comments.

  • Communicate on the finding thread.

  • Ask the core team to set up private discord communication channels.

Can I mark finding as FIXED or ACKNOWLEDGED?

Not yet. To finalize the status of a finding it will have to be done with a comment on that finding.

Can i download a cantina repository?

Yes. Download content and toggle sidebar. You should nevertheless have access to the original repo with the code in scope (if you do not, reach out to core team).

Last updated