Incident Response Playbook
Helios Digital • Gold Issuance Facility
Severity Levels
Active exploit / backing integrity threatened
Partial outage / potential exploit
Localized issues
Informational
Authority
Golden Rules
Facts only. No promises. No timelines unless you can meet them.
Preserve evidence: logs, snapshots, keys, configs.
Every admin action must be logged with who/what/why.
Runbook (SEV1)
T+0 (0–60 minutes)
- ‣Declare incident channel + incident commander (Ops Lead).
- ‣Pause issuance contracts / disable onboarding as needed.
- ‣Snapshot system state: token supply, backing positions, last merkle root, outstanding redemptions.
- ‣Rotate credentials if compromise suspected.
T+1–6 hours
- ‣Establish root cause hypothesis.
- ‣Contain blast radius.
- ‣Draft public statement: what happened (known), what is paused, where to verify reserves, next update time.
T+6–24 hours
- ‣Implement fix or containment.
- ‣Notify key partners (custody, on/off-ramps, venues).
- ‣Start post-mortem doc while memory is fresh.
Communications Templates
Initial Statement
"We identified an issue affecting [system]. Issuance has been paused as a precaution. Reserves and published proofs remain available at [verification page]. Next update at [time]."
Update Statement
"Update: [new facts]. Actions taken: [list]. Current status: [status]. Next update at [time]."
Resolution Statement
"The issue is resolved/contained. Summary: [facts]. Corrective actions: [facts]. Post-mortem will be published internally and key learnings applied."
Evidence Retention
- •Keep all logs and snapshots at least 7 years (or per counsel).
- •Never delete financial records; only append corrections.
Law Enforcement / Legal
- •Only Legal Lead interfaces.
- •Any freeze/clawback must follow published policy and be logged publicly where possible.