This amendment to the Security Auditing Department workflow is intended to establish a set of rules for accepting, approving and paying security audit requests at Callisto Network.
Motivation
Previously Callisto Team accepted any security audit requests and handled them free-of-charge by subsidizing the work of auditors from Treasury fund. Audits were processed in a continuous queue as auditors performed the tasks.
This model assumed that the audits are delivered in exchange for co-promotion and the general use case of Callisto as an independent security enhancement mechanism will boost its brand recognition and mass adoption.
The model had two main shortcomings:
Smart contract developers tend to use security audits as part of their marketing campaign, and they will not promote Callisto as their partner if the audit identifies critical errors that could damage the marketing of the audited project.
Processing a constant queue of the security audits is expensive and it may hurt the long term Callisto sustainability.
A new model of accepting audits is hereby proposed to address the flaws of the previous one and ensure a long term sustainability of Security Department.
Security audits not included in the list of free audits should be processed on a paid basis.
Priority
Payment formula
High
500 USD + (0.5 USD per line of code)
High priority audits are processed before any audits in the queue, except for the highest priority audits.
The security audit requester can further increase the priority of an audit request by negotiating a higher payment with the security auditing manager when submitting the audit request.
We accept ETH, CLO, USDT
The payment must be sent to the address provided by the Auditing Manager in the comment thread
The payment amount will be calculated based on the exchange rate of the currency that was used for the payment (calculated at CoinMarketCap rate). The amount of payment depends on the length of the code of the auditable contract. Empty lines of code and comments can be excluded.
It is recommended to use SLOC counter to calculate the accurate amount of lines of code that require payment. The overpaid amount will be returned to the sender's address after the completion of the security audit. Highest priority audit requests are processed ahead of queue.
Security auditing fee
It is proposed to withhold a certain percentage of each audit request payment in order to fuel the sustainability of the platform.
Collected security auditing fees must be deposited to the Treasury address.
Awaiting payment deadline
Initially, audits were kept in a queue until the author abandons the audit. Now it has become obvious that all the audit requests, the period of which exceeds 2 weeks without payment, can be closed.
Audit requests that remained in "awaiting payment" status for more than 2 weeks must be closed.
Security Auditing manager workflow
Initially, the job of an audit manager was limited to comparing auditors' reports and checking their work. It has now become clear that in some circumstances the roles of the Auditor Manager can be expanded.
Security Auditing manager is allowed to participate in the audit process alongside assigned auditors. In this case he should create his own Audit Report gist as if he was an auditor and perform the review of the contract code. Since the manager sees all the auditors' reports in the process, he should only describe those findings that the other auditors failed to report.
Security Auditing manager is not obligated to participate in the auditing process.
There are two possible scenarios for rewarding Security Auditors and Auditing Manager:
In case the Auditing Manager found any "medium" or higher severity issues that other auditors failed to report then these "medium" severity issues must be used in the reward calculation formula (see Auditing Department reward calculation v2). Auditing Manager is paid for the finding of this issue upon completing of the audit as if he was an active auditor.
In case the Auditing Manager did not found any "medium" or higher severity issues that other auditors failed to report then the Auditing Manager is excluded from the process of reward calculation.
This amendment to the Security Auditing Department workflow is intended to establish a set of rules for accepting, approving and paying security audit requests at Callisto Network.
Motivation
Previously Callisto Team accepted any security audit requests and handled them free-of-charge by subsidizing the work of auditors from Treasury fund. Audits were processed in a continuous queue as auditors performed the tasks.
This model assumed that the audits are delivered in exchange for co-promotion and the general use case of Callisto as an independent security enhancement mechanism will boost its brand recognition and mass adoption.
The model had two main shortcomings:
Smart contract developers tend to use security audits as part of their marketing campaign, and they will not promote Callisto as their partner if the audit identifies critical errors that could damage the marketing of the audited project.
Processing a constant queue of the security audits is expensive and it may hurt the long term Callisto sustainability.
A new model of accepting audits is hereby proposed to address the flaws of the previous one and ensure a long term sustainability of Security Department.
Specification
Limited monthly free-of-charge auditing campaign
The limited free-of-charge audits can be performed in accordance with Auditing Department business model v1.
Paid security audits
Security audits not included in the list of free audits should be processed on a paid basis.
High priority audits are processed before any audits in the queue, except for the highest priority audits.
The security audit requester can further increase the priority of an audit request by negotiating a higher payment with the security auditing manager when submitting the audit request.
We accept ETH, CLO, USDT
The payment must be sent to the address provided by the Auditing Manager in the comment thread
The payment amount will be calculated based on the exchange rate of the currency that was used for the payment (calculated at CoinMarketCap rate). The amount of payment depends on the length of the code of the auditable contract. Empty lines of code and comments can be excluded.
It is recommended to use SLOC counter to calculate the accurate amount of lines of code that require payment. The overpaid amount will be returned to the sender's address after the completion of the security audit. Highest priority audit requests are processed ahead of queue.
Security auditing fee
It is proposed to withhold a certain percentage of each audit request payment in order to fuel the sustainability of the platform.
Collected security auditing fees must be deposited to the Treasury address.
Awaiting payment deadline
Initially, audits were kept in a queue until the author abandons the audit. Now it has become obvious that all the audit requests, the period of which exceeds 2 weeks without payment, can be closed.
Audit requests that remained in "awaiting payment" status for more than 2 weeks must be closed.
Security Auditing manager workflow
Initially, the job of an audit manager was limited to comparing auditors' reports and checking their work. It has now become clear that in some circumstances the roles of the Auditor Manager can be expanded.
Security Auditing manager is allowed to participate in the audit process alongside assigned auditors. In this case he should create his own Audit Report gist as if he was an auditor and perform the review of the contract code. Since the manager sees all the auditors' reports in the process, he should only describe those findings that the other auditors failed to report.
Security Auditing manager is not obligated to participate in the auditing process.
There are two possible scenarios for rewarding Security Auditors and Auditing Manager: