Skip to content

Incident Reporting

Engineer/DeveloperSecurity SpecialistMultisig Security

Authored by:

Isaac Patka
Isaac Patka
SEAL | Shield3
Geoffrey Arone
Geoffrey Arone
Shield3
Louis Marquenet
Louis Marquenet
Opsek
Pablo Sabbatella
Pablo Sabbatella
SEAL | Opsek
Dickson Wu
Dickson Wu
SEAL

Reviewed by:

Piña
Piña
Coinspect
engn33r
engn33r

What to Report

Security incidents (report immediately)

  • Key compromise or suspected compromise
  • Account takeovers (email, communication platforms, etc.)
  • Device theft or loss
  • Suspicious activity on multisig accounts
  • Phishing attempts targeting multisig operations
  • Communication channel infiltration

Operational issues (Report Within 24 Hours)

  • Lost access to signing keys or devices
  • Failed hardware wallets or backup devices
  • Communication channel failures
  • Verification tool malfunctions
  • Difficulty following security procedures

Near misses (report when convenient)

  • Social engineering attempts
  • Suspicious emails or messages
  • Security procedure confusion or errors
  • Training gaps or unclear documentation

How to report

Immediate security incidents

  1. Secure the situation first (disconnect devices, change passwords, etc.)
  2. Notify your multisig team via secure channels
  3. Email Protocol Security
  4. Use subject line: "URGENT: Security Incident - [Your Handle/Multisig Name]"

Standard reporting

  • Email Protocol Security
  • Use clear subject line: "Incident Report - [Brief Description]"
  • Include required documentation (see below)
  • Follow up if you don't receive acknowledgment within 48 hours

Emergency contact

For critical security incidents requiring immediate response: Email: security team

Emergency notification template

Use this template for security incidents or key compromises:

Subject: [URGENT] Multisig Security Incident - [Multisig Name]
 
Immediate details:
- Multisig address: [ADDRESS]
- Classification: [Impact Level / Operational Type]
- Incident type: [Key Compromise / Communication Failure / System Issue]
- Time of discovery: [TIMESTAMP]
- Reporting signer: [NAME/HANDLE]
 
Situation summary: [Brief description of what happened and current status]
 
Immediate actions taken:
□ Stopped non-emergency operations
□ Isolated affected systems
□ Notified team members
□ [Other actions]
 
Next steps required:
□ Security team assessment
□ Key rotation process
□ Emergency transaction execution
□ [Other actions]
 
Current multisig status:
- Available signers: [X/Y]
- Communication status: [Operational/Compromised]
- Operational capability: [Full/Limited/Suspended]

Documentation

Simple incident report template:

Incident report
 
Date/Time: [When incident occurred]
Reported by: [Your handle]
Multisig(s) affected: [Names/addresses]
 
What happened:
[Brief description of the incident]
 
When discovered:
[How and when you became aware]
 
Actions taken:
- [Step 1]
- [Step 2]
- [Step 3]
 
Current status:
[Resolved/Ongoing/Assistance needed]
 
Impact:
[None/Limited/Significant - brief explanation]
 
Additional notes:
[Any other relevant information]

Help us improve!

Spotted an error or have ideas to enhance this content?

Your contributions are valuable to us. Learn more

✏️ Contribute today!