Cantina Publication and Citation Guidelines

Cantina has set forth these guidelines to elucidate how stakeholders can employ the outcomes of a Cantina Managed security review to communicate that necessary security measures have been taken for their respective protocols or projects. We aspire to maintain guidelines that foster mutual respect, champion fairness, and highlight Cantina's credibility as a neutral marketplace in the web3 security domain providing industry-leading quality reviews.

Security Review Publications and Citations

Upon the finalization of the security review report by the researcher team assigned by Cantina - we highly recommend to clients that they publicize the report in whatever medium they deem to be reasonable or best for proselytizing their results for any and all relevant stakeholders.

Citations and Name Usage

Below are the guidelines for working with Cantina regarding citations of the Cantina name in any publications or announcements after the final report has been completed:

  1. Clients should not make any announcements, publications, or otherwise describe our work unless the client has coordinated with Cantina to get the language approved.
  2. Clients should not announce an intention to work with Cantina as this may imply Cantina’s endorsement of clients’ products and their security before an agreement has been reached.
  3. Upon publication of any information regarding a final report or having worked with Cantina, there is to be no mention of Spearbit unless directly requested and confirmed by the Spearbit team. Cantina operates as a separate entity and all references upon the completion of an assessment and all respective deliverables, announcements, or any other relevant pieces of information related to it must be under the Cantina name.
  4. Cantina will not provide comments or quotes surrounding review results or overall security of product outside of the delivered report.

Publishing

Prior to publishing we encourage the following:

  1. Inform the Cantina team via your relevant communication channel that you intend to publish the report of your security review as well as the locations for where the publication will be live (Twitter, Blog Posts, Website, etc.)
  2. Upon publication by the client - Cantina will publish the report on the Cantina website along with any relevant communication channels in order to amplify visibility to both Cantina’s and the client’s network.
  3. After publications - Cantina highly recommends that a follow-up case study with the client in order to demonstrate the details of the review process and continue to build upon the client’s relationship with Cantina. If you would like to conduct a case study after the publication of your review - please contact [email protected] to begin the process. Regarding examples of case studies - you may visit https://cantina.xyz/blog

Example

Good

We are proud to announce that CLIENT has performed a security review through Cantina - the one-stop shop for all your web3 security needs. The security review was conducted by Cantina’s assembled team of top security researchers and is available here for viewing:
REPORT-LINK

Bad

We are proud to announce that we are working with Spearbit to start a review for our protocol. We are waiting for the Spearbit team to finalize but are excited to kick-off this process. Issues Mention of Spearbit instead of Cantina without explicit Spearbit consent Mention of a potential review without finalizing any agreement.

Issues

  • Mention of Spearbit instead of Cantina without explicit Spearbit consent
  • Mention of a potential review without finalizing any agreement