At Quantstamp, a minimum of three audit engineers are assigned to every project. While the initial preparation and discussion of the audit is a collaborative process, each auditor conducts their own code review, using a mixture of manual auditing as well as proprietary tooling.
Once each auditor has conducted their reviews, those results will be collated and a preliminary report with findings will be made. The findings are categorized by severity. Our audit team will also share potential ways to fix or mitigate them.
The preliminary findings are shared confidentially with the project. The project is also given a period of time (usually two weeks) to fix vulnerabilities and address the findings contained in the report. Upon completion of fixes, the audit team will conduct a ‘Fix Review,’ to verify the changes that have been made. The original issues are then marked as ‘Fixed,’ ‘Mitigated,’ ‘Acknowledged’ or left as ‘Unresolved.’
The audit report is then updated to its final version and delivered to the project. Often our reports are made public by the project themselves, but public reports can also be viewed (and verified) on our website.
As you can see from the process above, good communication is required between both the audit company and the project to ensure the success and smooth progress of any security audit.
Examples of good documentation: