Incident Reporting
Engineer/DeveloperSecurity SpecialistMultisig Security
Authored by:
What to Report
Security incidents (report immediately)
- Key compromise or suspected compromise
- Account takeovers (email, communication platforms, etc.)
- Device theft or loss
- Suspicious activity on multisig accounts
- Phishing attempts targeting multisig operations
- Communication channel infiltration
Operational issues (Report Within 24 Hours)
- Lost access to signing keys or devices
- Failed hardware wallets or backup devices
- Communication channel failures
- Verification tool malfunctions
- Difficulty following security procedures
Near misses (report when convenient)
- Social engineering attempts
- Suspicious emails or messages
- Security procedure confusion or errors
- Training gaps or unclear documentation
How to report
Immediate security incidents
- Secure the situation first (disconnect devices, change passwords, etc.)
- Notify your multisig team via secure channels
- Email Protocol Security
- Use subject line: "URGENT: Security Incident - [Your Handle/Multisig Name]"
Standard reporting
- Email Protocol Security
- Use clear subject line: "Incident Report - [Brief Description]"
- Include required documentation (see below)
- Follow up if you don't receive acknowledgment within 48 hours
Emergency contact
For critical security incidents requiring immediate response: Email: security team
Emergency notification template
Use this template for security incidents or key compromises:
Subject: [URGENT] Multisig Security Incident - [Multisig Name]
Immediate details:
- Multisig address: [ADDRESS]
- Classification: [Impact Level / Operational Type]
- Incident type: [Key Compromise / Communication Failure / System Issue]
- Time of discovery: [TIMESTAMP]
- Reporting signer: [NAME/HANDLE]
Situation summary: [Brief description of what happened and current status]
Immediate actions taken:
□ Stopped non-emergency operations
□ Isolated affected systems
□ Notified team members
□ [Other actions]
Next steps required:
□ Security team assessment
□ Key rotation process
□ Emergency transaction execution
□ [Other actions]
Current multisig status:
- Available signers: [X/Y]
- Communication status: [Operational/Compromised]
- Operational capability: [Full/Limited/Suspended]Documentation
Simple incident report template:
Incident report
Date/Time: [When incident occurred]
Reported by: [Your handle]
Multisig(s) affected: [Names/addresses]
What happened:
[Brief description of the incident]
When discovered:
[How and when you became aware]
Actions taken:
- [Step 1]
- [Step 2]
- [Step 3]
Current status:
[Resolved/Ongoing/Assistance needed]
Impact:
[None/Limited/Significant - brief explanation]
Additional notes:
[Any other relevant information]