What are the typical steps after a smart contract bug is found?

I found a bug, reproduced it, wrote a patch, got a formal review, deployed to a testnet, and notified auditors before a mainnet fix.

Found a bug in a live contract last year. First, I reproduced it reliably on a local fork and on a staging testnet, so I wasn't guessing. Then I mapped the exploit path and the potential impact on users. I classify severity: critical if funds can be drained, high if service disruption. I alert the team and the security/engineering leads, share a one-page incident note. If possible, I pause the contract using an emergency stop or pause function; if not, I flag for fast redeploy and disable wrappers. Next, I craft a minimal patch, keeping changes small and auditable, and add regression tests and edge cases. I spin up a private network to retest the fix, run fuzz tests, and do a formal security review with a peer. I coordinate disclosure with the project’s policy and bounty program; sometimes we notify the bug bounty platform. Then I plan the redeploy: migrations, state management, and a cautious rollout. After deploy, I monitor live metrics, publish an incident report, and run a postmortem to prevent similar bugs.