Skip to main content
Sign in Menu

Audit Project Material Guidelines

  • Updated

Audit Phases & Deliverables

Overview

The Immunefi audit process is structured to deliver high-impact, high-integrity security reviews by trusted experts in Web3. 

The process is fully managed by Immunefi, ensuring transparency, accountability, and a smooth experience across all participants.

  • Security Researchers (SRs) are selected by Immunefi from a vetted pool, based on their technical expertise and availability.
  • A dedicated GitHub repository is created by Immunefi to host the findings and facilitate structured collaboration.
  • Findings are submitted as GitHub issues and tagged with severity, type, and status.
  • Immunefi oversees the full workflow: kickoff, coordination, issue triage, report generation, and post-audit support.

Phase 1: Pre-Audit

This phase ensures both parties are aligned, the scope is clear, and all operational elements are in place to begin the audit.

  • Finalize and confirm audit scope, including filepaths, repositories, commit hashes, available documentation and any exclusions.
    • Note: The Audit will be executed on the specific commit provided by the customers before the Audit Start Date. Audit scope must be defined ahead of the start date and must not change during the Audit.
  • Immunefi selects the Security Researchers (SRs) based on the capabilities required for the Audit. The SR selection process will begin after the upfront payment has been received and confirmed by Immunefi.
  • The client grants read-only access to all relevant repositories to Immunefi and the selected SRs.
  • Immunefi sets up a dedicated GitHub repository for issue reporting.
  • Join communication channels (Telegram or Discord).
  • Participate in the Kick-off Call:
    • Present codebase structure
    • Clarify any design decisions
    • Confirm audit objectives and expectations

Phase 2: Audit Execution

During this stage, SRs begin reviewing the codebase and documenting their findings in the shared GitHub repository.

  • All issues are submitted as GitHub issues and must include:
    • Severity (None, Low, Medium, High, Critical)
    • Issue type (e.g., bug, optimization, documentation)
    • Affected lines of code and rationale
    • Suggested remediation (where applicable)
  • The Client’s team must monitor the repository and communication channel regularly.
  • Responses to issues should be timely, constructive, and documented.
  • If the the Client  team fixes issues during the audit:
    • Comment on the GitHub issue with the fix or commit link
    • Immunefi will label and track the fix accordingly

Phase 3: Audit Closure

At this stage, we consolidate insights, resolve open threads, and finalize all deliverables.

  • Participate in a Closing Call with Immunefi and the SRs to:
    • Review major and high-severity findings
    • Align on open issues or unverified fixes
    • Discuss post-audit activities and next steps
  • Immunefi compiles the final audit report based on GitHub issues.
  • Execute the code fixes verification by SRs (if requested by the Client)
  • Once finalized, the audit report can be:
    • Used internally by the Client
    • Published externally (recommended for transparency)

Related articles

Comments

0 comments

Article is closed for comments.