​

Competitions

​

Competition Planning

• Booking a Competition: To begin, fill out the competition request form. A member of the Cantina team will reach out to discuss the next steps and ensure the competition is tailored to your specific needs.
• Defining Scope and Prizes: Once the competition is booked, you’ll complete a Competition Submission Template. This document will help outline the project scope, including target repositories, commit hashes, and prize distribution. Be sure to define the scope clearly, specifying which parts of the codebase should be audited and how prize pools will be allocated.

​

Timeline and Structure

• Competition Duration: You can determine the duration of your competition based on your organization’s needs. Typically, these competitions last from a few weeks to a couple of months, depending on the complexity of your codebase.
• Competition Phases: Our structured approach ensures comprehensive coverage and clear outcomes through the following phases:
  • Scoping and Information Gathering: Define competition parameters, scope, and technical requirements
  • Statement of Work (SOW): Finalize competition agreement with scope, deliverables, and timelines
  • Kickoff: Official launch with project introduction and competition rule walkthrough
  • Competition Period: Researchers audit codebase and submit vulnerability findings
  • Communication Channels: Ongoing support and clarification throughout the competition
  • Fix Period: Address identified vulnerabilities with Cantina team support
  • Findings Call: Final audit meeting discussing outcomes and recommendations
  • Final Report Delivery: Comprehensive documentation of findings and security recommendations
  • Closeout Call: Competition feedback and strategic security discussion

​

Participants and Teams

• Participant Roles:
  • Security Researchers: The experts who will analyze your codebase for vulnerabilities.
  • Judges: Responsible for auditing and scoring the findings submitted by researchers.
  • Fellowship Stewards: Experienced researchers assigned by Cantina to oversee the competition and contribute to the audit process.
• Team Formation: Researchers can participate individually or form teams. Collaboration is encouraged to leverage diverse expertise and maximize the effectiveness of the competition.

​

Submission Process

• Finding Submission: Researchers submit identified vulnerabilities using a standardized format, ensuring clarity and consistency.
• Proof of Concept (PoC): By default, all competitions have a mandatory POC rule: All high and medium severity submissions must be accompanied by a coded Proof of Concept before the competition ends. This applies only to researchers with a reputation score below 80.

​

Judging Process

• Severity Assessment: Each finding is evaluated based on its impact and likelihood of exploitation. We follow the Finding Severity Criteria to ensure consistent and objective assessments.
• Scoring: Findings are scored according to their severity, with high-severity issues earning the most points. Researchers are awarded based on the points they accumulate through valid and impactful findings.
• Escalation Process: In the event of disagreements over the severity assessment, researchers can appeal the decision. We ensure a fair audit process, though invalid escalations may result in penalties.

​

Escalation Process

​

Awards Distribution

• Prize Allocation: Based on the scoring, participants receive their share of the prize pool.
• Fellowship Steward Compensation: Dedicated researchers receive fixed payments in addition to competition rewards.

​

Results and Reporting

• Final Report: At the conclusion of the competition, we deliver a detailed report summarizing all findings, fixes made, and additional recommendations for improving your security posture.
• Post-Competition Support: After the competition, your team will receive recommendations for further strengthening your codebase based on the insights gained during the audit process.