> For the complete documentation index, see [llms.txt](https://dualguard.gitbook.io/dualguard/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dualguard.gitbook.io/dualguard/security-reviews/security-reviews-for-protocol-teams/how-security-review-contests-work.md).

# How Security Review Contests Work

DualGuard security review contests are structured public reviews. Many guards analyze the same frozen scope under clear rules, incentives, and judging.

Teams usually use this flow for:

* First mainnet launches
* Major upgrades
* High-risk releases with new integrations or core logic changes

### The end-to-end process

#### 1. Request and scoping

Your team submits an intake request with the repo, target release, architecture context, and timing goals.

DualGuard reviews the scope boundary, expected attack surface, and the best review format for the release.

#### 2. Quote and scheduling

DualGuard prices the engagement based on scope size, complexity, and review format.

Once the quote is accepted, your team reserves a slot and aligns on the contest calendar.

#### 3. Scope freeze and materials

Before the review starts, your team provides:

* The final commit, branch, or tagged release candidate
* Setup instructions and testing guidance
* Deployment context, assumptions, and known limitations

This frozen version is the baseline for submissions, judging, and remediation planning.

#### 4. Kickoff and agentic contest

The review usually starts with an [Agentic Security Review Contest](/dualguard/security-reviews/security-reviews-for-protocol-teams/agentic-security-review-contests.md).

At kickoff, guards get the pinned scope and project context. Your team should attend the walkthrough and stay available for questions. Fast answers reduce ambiguity and improve signal.

#### 5. Judging for the agentic contest

Submissions from the agentic phase are judged and deduplicated.

This gives your team an early set of validated findings and helps sharpen the next review stage.

#### 6. Traditional contest window

After the agentic phase, DualGuard runs the main competitive security review contest.

Guards review the same frozen scope in parallel. DualGuard also staffs the contest with 2 Lead Guards and 2 Lead Judges for stronger coverage and cleaner outcomes.

#### 7. Community judging

When the contest ends, community judges review submissions and provide an initial assessment.

This phase helps rank likely outcomes quickly and surfaces the issues that need deeper review.

For details, see [Judges](/dualguard/security-reviews/judges.md).

#### 8. Dual judging

The 2 Lead Judges then review the submission set in depth.

They validate findings, group duplicates, assign severity, and write reasoning for their decisions. This is where the contest output becomes a fix-ready issue set.

#### 9. Escalations and final judgment

After preliminary results are posted, guards can escalate contested decisions during a fixed review window.

DualGuard then completes final judgment. Escalated issues are re-reviewed and the results are finalized.

#### 10. Acknowledgement and remediation planning

Your team reviews the final findings and decides which items will be fixed for the release.

At this stage, you should also map each planned fix to a PR or commit path. Clear mapping makes verification much faster.

#### 11. Mitigation review

Once fixes are ready, DualGuard reviews the remediation to confirm:

* The original issue is no longer reachable
* The fix behaves as intended
* The patch does not introduce new risk nearby

If the remediation changes the attack surface in a meaningful way, DualGuard may recommend a short follow-up review instead of a routine verification pass.

For more detail, see [Mitigation Review](/dualguard/security-reviews/security-reviews-for-protocol-teams/mitigation-review.md).

### What your team should prepare

The smoothest contests happen when the release candidate is stable and easy to review.

Before kickoff, make sure you can provide:

* A clean frozen scope
* Reliable setup and test instructions
* A responsive team contact during the contest

The more ambiguity you remove up front, the more time guards spend on real attack paths.

### Planning timelines

Contest length is only one part of the release schedule.

Your launch plan should also budget time for:

* Agentic review and the main contest window
* Judging, deduplication, and final judgment
* Remediation and fix verification

{% hint style="warning" %}
Do not plan a launch immediately after the main contest ends.

The post-contest phases can be short or they can take weeks. Timing depends on the number of submissions, the complexity of disputed issues, and the size of the remediation set.

Two timeline points are predictable:

* The main contest duration is set during scoping
* The escalation window lasts 72 hours after preliminary results

Everything after that depends on issue volume and how quickly your team ships clean fixes.
{% endhint %}

For duration guidance, see [Security Review Contest Timeline](/dualguard/security-reviews/protocol-teams/security-review-contest-timeline.md).
