Skip to main content

Security Reviews: Researcher Guide

A streamlined guide to help you navigate Cantina’s security review process as a researcher—from accessing repos to communicating findings effectively.

Accessing a Cantina Repo

Contact the Cantina core team to get access to the repository for your engagement.

Commenting, Tagging & Communication

Can clients see my comments and findings?

Yes—they have access. However, your comments might be hard to locate unless you ping @project. This ensures they receive a notification.
Always ping @project when commenting on findings or threads.Replying to a comment notifies everyone involved in that thread.

Can I ping fellow SRs?

Not at this time. Ping functionality is currently limited to the @project tag.

Can I chat natively in the repo?

While real-time chat isn’t supported, you can:
  • Leave comments directly on the code or findings.
  • Discuss via finding threads.

Downloading the Repo

Yes, you can download the Cantina repository by:
  • Toggling the sidebar and selecting download.
  • You should also have access to the original scoped repo

Review Lifecycle: What to Expect

Here’s how Cantina’s team structures a security review, from kickoff to final delivery:

1. Kickoff

We align with the client on goals, expectations, and deliverables. This includes scope confirmation and scheduling initial meetings.

2. Scoping & Information Gathering

You’ll receive documentation and codebases to understand the system deeply. Expect technical specs, diagrams, and architectural overviews.

3. Security Review Period

This is your time to shine: Manual analysis, tool-assisted testing, and a deep dive into the codebase to identify vulnerabilities or logic flaws.

4. Communication Channels

Cantina facilitates structured touchpoints and async updates. Use repo comments, finding threads, or Discord (if set up).

5. Fix Period (Optional)

Clients may patch vulnerabilities. During this time, provide clarity and support where needed.

6. Close-Out Call

We walk through the findings and their resolutions. This helps solidify the client’s understanding and closes the review loop.

7. Final Report

You’ll contribute to a detailed report outlining vulnerabilities, severity, and remediation efforts—an important artifact for client security posture.