<aside> ⚠️ To raise an incident, contact [email protected]
</aside>
This document establishes the plan for managing information security incidents and events, and offers guidance for employees or incident responders who believe they have discovered, or are responding to, a security incident.
This policy covers all information security or data privacy events or incidents.
If a Sourcegraph employee, contractor, user, or customer becomes aware of any possible information security event or incident, unauthorized access, policy violation, security weakness, or suspicious activity, they can report the incident by emailing [email protected].
If there is strong reason to believe that the possible security incident is ongoing and could have significant impact to data or systems belonging to Sourcegraph or its clients, the incident should be raised by emailing [email protected]. This method should be used with caution as it will page the Security team immediately.
Reports should include specific details about what has been observed or discovered.
When raising a security incident, Sourcegraph's security team will assign the incident a severity based on the following categories:
Issues meeting this severity are simply suspicions or odd behaviors. They are not verified and require further investigation. There is no clear indicator that systems have tangible risk and do not require emergency response. This includes lost/stolen laptop with disk encryption, suspicious emails, outages, strange activity on a laptop, etc.
High severity issues relate to problems where an adversary or active exploitation hasn’t been proven yet, and may not have happened, but is likely to happen. This may include lost/stolen laptop without encryption, vulnerabilities with direct risk of exploitation, threats with risk or adversarial persistence on our systems (e.g.: backdoors, malware), malicious access of business data (e.g.: passwords, vulnerability data, payments information), or threats that put any individual at risk of physical harm.