> ## Documentation Index > Fetch the complete documentation index at: https://docs.cantina.xyz/llms.txt > Use this file to discover all available pages before exploring further. # Security Review Process > Guide for researchers conducting security reviews on Cantina A streamlined guide to help you navigate Cantina's security review process as a researcher—from accessing repos to communicating findings effectively. ## Accessing a Cantina Repo Contact the Cantina core team to get access to the repository for your engagement. ## Commenting, Tagging & Communication ### Can clients see my comments and findings? Yes—they have access. However, your comments might be hard to locate unless you **ping `@project`**. This ensures they receive a notification. Always ping @project when commenting on findings or threads. Replying to a comment notifies everyone involved in that thread. ### Can I ping fellow SRs? Not at this time. Ping functionality is currently limited to the `@project` tag. ### Can I chat natively in the repo? While real-time chat isn't supported, you can: * Leave **comments directly on the code or findings**. * Discuss via **finding threads**. ## Downloading the Repo Yes, you can download the Cantina repository by: * Toggling the sidebar and selecting download. * You should also have access to the **original scoped repo** *** ## Review Lifecycle: What to Expect Here's how Cantina's team structures a security review, from kickoff to final delivery: ### 1. Kickoff We align with the client on goals, expectations, and deliverables. This includes scope confirmation and scheduling initial meetings. ### 2. Scoping & Information Gathering You'll receive documentation and codebases to understand the system deeply. Expect technical specs, diagrams, and architectural overviews. ### 3. Security Review Period This is your time to shine: Manual analysis, tool-assisted testing, and a deep dive into the codebase to identify vulnerabilities or logic flaws. ### 4. Communication Channels Cantina facilitates structured touchpoints and async updates. Use repo comments, finding threads, or Discord (if set up). ### 5. Fix Period (Optional) Clients may patch vulnerabilities. During this time, provide clarity and support where needed. ### 6. Close-Out Call We walk through the findings and their resolutions. This helps solidify the client's understanding and closes the review loop. ### 7. Final Report You'll contribute to a detailed report outlining vulnerabilities, severity, and remediation efforts—an important artifact for client security posture.