{"id":21055580,"url":"https://github.com/atatus/incident-response-plan","last_synced_at":"2026-04-02T02:37:18.208Z","repository":{"id":96559917,"uuid":"141387121","full_name":"atatus/incident-response-plan","owner":"atatus","description":"Atatus Incident Response Plan","archived":false,"fork":false,"pushed_at":"2018-07-18T05:53:33.000Z","size":1,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-20T19:15:20.094Z","etag":null,"topics":["atatus","incident-response","plan"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atatus.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-18T05:52:07.000Z","updated_at":"2018-07-18T05:54:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"5911830d-7013-444c-ad33-5037d08def5c","html_url":"https://github.com/atatus/incident-response-plan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atatus%2Fincident-response-plan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atatus%2Fincident-response-plan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atatus%2Fincident-response-plan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atatus%2Fincident-response-plan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atatus","download_url":"https://codeload.github.com/atatus/incident-response-plan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243500803,"owners_count":20300774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["atatus","incident-response","plan"],"created_at":"2024-11-19T16:46:19.677Z","updated_at":"2025-12-29T12:21:16.884Z","avatar_url":"https://github.com/atatus.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Atatus Incident Response Plan\n\nThis document offers guidance for employees or incident responders who believe they have discovered or are responding to a security incident.\n\n## Escalation\n\nEmail to panic@atatus.com or a message to #panic should be used to notify the security team of run-of-the mill issues. Be a good witness. Behave as if you were reporting a crime and include lots of specific details about what you have discovered.\n\n## Severity\n\n### Low and Medium Severity\n\nIssues meeting this severity are simply suspicions or odd behaviors. They are not verified and require further investigation. There is no clear indicator that systems have tangible risk and do not require emergency response. This includes suspicious emails, outages, strange activity on a laptop.\n\nEmail to panic@atatus.com or a message to #panic should be used to notify the security team of low or medium severity issues.\n\n### High Severity\n\nHigh severity issues relate to problems where an adversary or active exploitation hasn’t been proven yet, and may not have happened, but likely to happen. This may include vulnerabilities with direct risk of exploitation, threats with risk or adversarial persistence on our systems (eg: backdoors, malware), malicious access of business data (eg: passwords, vulnerability data, payments information), or threats that put any individual at risk of physical harm.\n\nHigh severity issues should include an email to panic@atatus.com with “Urgent” in the subject line, or a message to #security with “@channel incident” in the message to alert incident responders.\n\n### Critical Severity\n\nCritical issues relate to actively exploited risks and involve a malicious actor. Identification of active exploitation is critical to this severity category.\n\nCritical severity issues should involve a message to “@channel” in #security and #panic, as well as messages to the CEO and CTO. Continue escalation until you receive acknowledgement. Involvement of a crisis lead for public relations, a lawyer familiar with breach notification, and a “heads up” to our consultant response partners are highly recommended.\n\n## Unauthorized Client Data Access\n\nBy definition, the detection of unauthorized access of client data is a critical-severity incident. If unauthorized access is detected, the response team should make the client's security representatives aware of the breach, in addition to following the procedure outlined above under \"Critical Severity.\"\n\n## Internal Issues\nIssues where the malicious actor is an internal employee, contractor, vendor, or partner requires sensitive handling. Please contact the CEO and CTO directly and do not discuss with other employees. These are critical issues and must be pushed to follow up.\n\n## Response Steps\nFor critical issues, the response team will follow an iterative response process designed to investigate, contain exploitation, remediate our vulnerability, and document a post-mortem with the lessons of an incident.\n\n1. CTO or CEO will determine if a lawyer be included and attorney client privilege between responders will begin.\n2. A central “War Room” will be designated.\n3. The following meeting will occur at regular intervals until the incident is resolved:\n\n### Breach Response Meeting — Agenda\n- Update Breach Timeline\n- New Indicators of Compromise\n- Investigative Q\u0026A\n- Emergency Mitigations\n- Long Term Mitigations (including Root Cause Analysis)\n- Notify customer about the incident through email and blog.\n\nWe will _Update a Breach Timeline_ with all known temporal data related to the incident. All _Indicators of Compromise_ will be updated and shared among breach responders. The group will add new knowns and unknowns to the _Investigative Q\u0026A_. A list of tactical _Emergency Mitigations_ will be updated. A list of long term, post breach _Long Term Mitigations_ will be updated. Once items related to response are covered, technical responders may leave the meeting and meta-topics related to the breach are discussed (communications, legal issues, blog posts, etc) with leadership.\n\n\n## Runbooks\n\u003e To engineers: add links to runbooks that follow from vulnerability assessments / penetration tests here.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatatus%2Fincident-response-plan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatatus%2Fincident-response-plan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatatus%2Fincident-response-plan/lists"}