This section outlines the process and recommendations for implementing fixes, reviewing them, and the specific methodology for labeling issues during this phase
Fix Review Period
A 2-week fix review courtesy period is initiated to allow the client to implement fixes and have them reviewed by the security review team. This process is consultative and collaborative in nature and we urge clients to take full advantage of this courtesy period.
Extensions and Conditions
In the event that fixes are not fully reviewed after 2 weeks, the client can request an extension period by signing a fix-extension Statement of Work (SOW).
Note: One Pull Request (PR) should be created per issue to facilitate reviewing the fixes. The researchers on the review team will work on a stand-by basis and won't be engaged full time. Should the fixes alter the protocol's behavior or aren't related to the issue, a new SOW must be signed.
The client is advised to follow a specific labeling methodology as issues progress through different statuses.
Changes Requested: Spearbit team uses this label for issues with the fix applied but requiring alterations. Once the client applies the changes to the PR, this label can be removed and replaced with Status: Changes Applied.
Changes Applied: Informs the Spearbit team that a change has been approved, requiring an updated label of Status: Verified by USERNAME.
Verified by USERNAME: Tagged if validated by a Spearbit security researcher or re-add Status: Changes Requested if new alterations are necessary.
Fixed: Applied if the project has fixed the issue.
Acknowledged: Applied if the project has acknowledged the issue without further action.
ReadyForReport: Used to confirm the issue is ready for the client report.
Note:In either case (verification or more changes), Changes Applied can be removed by the Spearbit team. The label swapping may continue for several rounds until the Spearbit team approves/verifies the PR changes.