DOCUMENTATION

Docs/Security/Security Incident Response Plan v1.0

Security Incident Response Plan v1.0

Last updated: June 2026 | Public Release v1.0

Formal Emergency Response Procedure

1. Incident Response Principles

The ANCORA Security Incident Response Plan defines the standardized procedure for detecting, responding to, and resolving security incidents. The primary objectives are:

Protect user funds and network integrity

Minimize network downtime and disruption

Maintain transparent communication with stakeholders

Prevent recurrence through post-incident improvement

2. Incident Severity Classification

3. Incident Response Team

The permanent Security Incident Response Team (SIRT) consists of:

2 Lead Security Engineers (24/7 on-call rotation)

2 Core Protocol Developers

1 Governance Coordinator

1 Communications Lead

1 External Security Advisor

All team members have pre-configured emergency access and are available 24/7/365.

4. SEV 0 Critical Incident Response Procedure

Detection (T+0): Incident detected via monitoring, bug report, or on-chain anomaly

Activation (T+15 min): SIRT fully activated, emergency communication channel established

Assessment (T+30 min): Root cause analysis, impact assessment, scope determination

Containment (T+1 hour):

Activate emergency governance mode

Pause transaction processing if necessary

Deploy temporary mitigation measures

Remediation (T+4 hours):

Develop and test security patch

Coordinate validator upgrade deployment

Prepare network fork if required

Recovery (T+24 hours):

Deploy patch to network

Restore normal network operation

Verify complete incident resolution

Communication:

Initial public statement within 1 hour of detection

Regular updates every 2 hours during incident

Full post-mortem report published within 7 days

5. Emergency Governance Powers

For SEV 0 incidents only, the 9-member Emergency Security Council may exercise limited temporary powers:

Pause transaction processing for maximum 24 hours

Deploy emergency security patches without full governance vote

Coordinate network hard fork to resolve exploit

Freeze attacker addresses with proven stolen funds

All emergency powers automatically expire after 30 days, with full authority returning to normal governance.

6. Post-Incident Process

Full root cause analysis completed within 3 days

Detailed public post-mortem report published within 7 days

All contributing factors documented and addressed

Additional security controls implemented to prevent recurrence

Incident response plan updated based on lessons learned

Full third-party audit of incident and remediation