Skip to content

Commit

Permalink
Merge pull request nascentxyz#9 from misirov/remove-redundancy
Browse files Browse the repository at this point in the history
Remove redundancy
  • Loading branch information
plotchy authored Jun 26, 2023
2 parents 8044ca4 + 6b32d79 commit 52bdcee
Showing 1 changed file with 26 additions and 29 deletions.
55 changes: 26 additions & 29 deletions incident-response-plan-template.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
# **[*Project Name*]** Incident Response Plan

## *CONFIDENTIAL - DO NOT SHARE*
## _CONFIDENTIAL - DO NOT SHARE_

Do not share this with anyone who does not need to be in the know.

<!--
Bold + Italics + Square Brackets: Fields to be filled in
-->
Expand All @@ -14,38 +16,33 @@ War Room Participants: **[*Names and contact info*]**

## Immediate Steps

- [ ] Review exploit transactions to identify vulnerability - **[*Person responsible*]**
- [ ] **Review exploit** transactions to identify vulnerability - **[*Person responsible*]**
- Tools used:
- [Phalcon Tx Explorer](https://explorer.phalcon.xyz/)
- [Foundry Transaction Replay Trace/Debugger](https://book.getfoundry.sh/reference/cast/cast-run.html#cast-run)
- [Tenderly Debugger](https://dashboard.tenderly.co/tx/mainnet/0xf427afc17bd30a84f4b47dc2eaa176115cf28bdea1110245d3b0948ca3b6595c/debugger)

- [ ] Pause contracts (if possible), take other defensive action, consider offensive action (i.e. whitehat rescues) - **[*Person responsible for coordinating*]**
- Steps:
- **[*Who, how, what addresses*]**
- Review Transaction(s) - **[*Person responsible, **should be different than whoever created the transaction***]**
- You do NOT want to be scrambling to figure out who can sign to take defensive actions. Use of [OpenZeppelin Defender](https://www.openzeppelin.com/defender) is highly recommended, as is having prepared defensive action scripts in advance that can be deployed as per the [Pre-Launch Security Checklist](https://github.com/nascentxyz/simple-security-toolkit/blob/main/pre-launch-security-checklist.md).
- [ ] Review all contracts to identify knock-on vulnerabilities. Pause those as necessary - **[*Person responsible*]**
- [ ] Update UI to reflect current status - **[*Person responsible*]**
- [ ] Contact security partners - **[*Person responsible*]**
- **[*List of past auditors and their contact info or location of shared channel*]**
- Your auditors will want to assist to the extent they are able, even if primarily to protect their own reputations
- DO NOT LET ANYONE OUTSIDE OF YOUR CIRCLE OF TRUST INTO THE WAR ROOM
- Even if attackers have successfully exfiltrated funds, do not assume stolen funds are unrecoverable. Immediately reach out to trusted parties including known security professionals or your venture investors for referrals to relevant law enforcement contacts, asset tracking experts, and recovery services.
- [ ] Post message to users in Discord - **[*Person responsible*]**
- Update regularly as meaningful new information or developments are available
- Even if nothing new is known, updates at least every 24 hours will help reassure your community that you are working to address the situation
- Run all messages by the vulnerability reviewer(s) to ensure no information is shared that inadvertently puts security at risk or commits to specific remediation before all facts are known
- [ ] Post message to users on Twitter - **[*Person responsible*]**
- Update regularly as meaningful new information or developments are available
- Even if nothing new is known, updates at least every 24 hours will help reassure your community that you are working to address the situation
- Run all messages by the vulnerability reviewer(s) to ensure no information is shared that inadvertently puts security at risk or commits to specific remediation before all facts are known
- [ ] **Pause contracts** (if possible), take other defensive action, consider offensive action (i.e. whitehat rescues) - **[*Person responsible for coordinating*]**
- Steps:
- **[*Who, how, what addresses*]**
- Review Transaction(s) - **[\*Person responsible, **should be different than whoever created the transaction**\*]**
- You do NOT want to be scrambling to figure out who can sign to take defensive actions. Use of [OpenZeppelin Defender](https://www.openzeppelin.com/defender) is highly recommended, as is having prepared defensive action scripts in advance that can be deployed as per the [Pre-Launch Security Checklist](https://github.com/nascentxyz/simple-security-toolkit/blob/main/pre-launch-security-checklist.md).
- [ ] **Review all contracts** to identify knock-on vulnerabilities. Pause those as necessary - **[*Person responsible*]**
- [ ] **Update UI** to reflect current status - **[*Person responsible*]**
- [ ] **Contact security partners** - **[*Person responsible*]**
- **[*List of past auditors and their contact info or location of shared channel*]**
- Your auditors will want to assist to the extent they are able, even if primarily to protect their own reputations
- DO NOT LET ANYONE OUTSIDE OF YOUR CIRCLE OF TRUST INTO THE WAR ROOM
- Even if attackers have successfully exfiltrated funds, do not assume stolen funds are unrecoverable. Immediately reach out to trusted parties including known security professionals or your venture investors for referrals to relevant law enforcement contacts, asset tracking experts, and recovery services.
- [ ] **Notify users** via relevant Social Media communication channels. Discord: **[*Person responsible*]**, Twitter: **[*Person responsible*]**
- Update regularly as meaningful new information or developments are available
- Even if nothing new is known, updates at least every 24 hours will help reassure your community that you are working to address the situation
- Run all messages by the vulnerability reviewer(s) to ensure no information is shared that inadvertently puts security at risk or commits to specific remediation before all facts are known

## After Immediate Steps Are Addressed

- [ ] Draft and post full public postmortem - **[*Person responsible*]**
- [ ] Prepare patch for contracts, ideally following [development process](development-process.md) guidelines - **[*Person responsible*]**
- [ ] Have patch reviewed and signed off on by past auditors
- [ ] Have patch reviewed by as many trusted members of the team and community as possible
- [ ] If the patch or potential interactions are complex enough to warrant it, strongly consider a short [Code4rena](https://code4rena.com/) contest (can be started within 48 hours)
- [ ] Deploy patch - **[*Person responsible*]**
- [ ] Draft and post full public postmortem - **[*Person responsible*]**
- [ ] Prepare patch for contracts, ideally following [development process](development-process.md) guidelines - **[*Person responsible*]**
- [ ] Have patch reviewed and signed off on by past auditors
- [ ] Have patch reviewed by as many trusted members of the team and community as possible
- [ ] If the patch or potential interactions are complex enough to warrant it, strongly consider a short [Code4rena](https://code4rena.com/) contest (can be started within 48 hours)
- [ ] Deploy patch - **[*Person responsible*]**

0 comments on commit 52bdcee

Please sign in to comment.