Skip to main content
Status — April 2026: Our incident response framework is operational for technical detection and containment, but the formal Incident Response Plan (IRP) with named responders, escalation trees, and tabletop-tested runbooks is in draft. Target publication: Q2 2026. See SOC 2 readiness.The mitigations and commitments on this page are live today; the formalization is in progress.

Report an incident or vulnerability

security@denialbase.com

Send a detailed description of what you observed. Include timestamps, affected accounts, and any reproduction steps. PGP key available on request. We acknowledge within 2 business days.

Customer-facing outage or active attack

For anything in progress affecting customer data, mark the email subject with [URGENT]. On-call engineer paged directly.

Severity levels

LevelExampleResponse timeOwner
Sev-1Confirmed PHI breach, prolonged platform outage, active attack15 min ack / 1 hr responseCTO + Security Officer
Sev-2Suspected data exposure, degraded service for many customers, authentication subsystem failure1 hr ack / 4 hr responseOn-call + Security Officer
Sev-3Single-customer issue, non-PHI data issue, low-severity vulnNext business dayOn-call
Sev-4Minor bug, cosmetic issue, non-security reportNormal triage queueSupport

Response phases

1

Detect

  • Automated alerts (Cloud Monitoring) on failed-login spikes, bulk exports, off-hours admin, auth subsystem anomalies.
  • External reports via security@denialbase.com.
  • Sentry error-rate alerts.
2

Triage

On-call engineer confirms the signal, assigns severity, and creates an incident record. PHI involvement is a hard triage question at this step.
3

Contain

  • Revoke compromised credentials, disable affected accounts, block abusive IPs at Cloud Armor.
  • Isolate affected services (scale down, disable integrations, invalidate sessions).
  • Preserve evidence — snapshot databases, capture logs, disable destructive cleanup jobs.
4

Eradicate & recover

  • Identify and patch the root cause.
  • Restore affected services to known-good state.
  • Rotate any potentially exposed secrets.
5

Notify

  • Covered-entity customers notified per the BAA breach clause within 60 days of discovery, earlier where possible.
  • Regulators notified per HIPAA §164.408 if ≥500 individuals affected.
  • Status page updated for any customer-visible impact.
6

Post-incident review

  • Blameless post-mortem within 5 business days of resolution.
  • Remediation items tracked with owner + target date.
  • Published internally; sanitized summary provided to customers on request.

HIPAA breach assessment

If PHI may have been affected, we run a §164.402 probability-of-compromise assessment considering:
  1. The nature and extent of the PHI involved.
  2. The unauthorized person or system who obtained it.
  3. Whether the PHI was actually acquired or viewed.
  4. The extent to which risk has been mitigated.
The outcome (breach confirmed / low-probability exception) is documented regardless. Low-probability findings are retained in our incident file for 6 years.

Coordinated disclosure

Security researchers who find and report vulnerabilities responsibly will receive:
  • Acknowledgement within 2 business days.
  • Reasonable coordination on public disclosure timing (typically ≤90 days).
  • Credit in our security changelog (with permission).
  • At this time we do not pay bug bounties, but we’d like to change that — contact us if you find something serious.

Current limitations — honest status

We have on-call rotation for service outages; for security-specific events we rely on automated alerts routed to the on-call engineer, with escalation to the Security Officer. A dedicated SOC or third-party MDR is on the roadmap once pentest and IRP formalization complete.
IRP tabletop exercises are planned for Q2 2026 immediately after the plan is finalized. Findings will be rolled back into this page.
First third-party pentest engagement targeted for Q3 2026. See Penetration testing.