Skill Being Reviewed
skills/incident-response/ir-playbook
Review Focus
The skill covers incident trigger, affected systems, timelines, severity, containment, evidence, escalation, and notification planning. The gap I found is the incident communication clock: teams often know a breach may have notification obligations, but the playbook should force evidence of when legal/regulatory clocks started, who owns them, and which out-of-band channels remain trusted if primary identity or messaging systems are compromised.
Coverage Gap
Please add a communication-clock and trusted-channel check:
- Record the timestamp that starts each notification clock, plus jurisdiction or contract source.
- Assign a named owner for legal, regulator, customer, cyber-insurance, law-enforcement, and vendor notifications.
- Define out-of-band communications that do not rely on compromised SSO, email, chat, or endpoint management.
- Require a communications freeze/approval path for public statements, support replies, and sales/customer-success messaging.
- Preserve evidence for why a notification was made, delayed, or deemed not required.
False Positive Analysis
Not every SEV-3 needs regulator notification. The review should focus on documented decision quality: if legal counsel records why notice is not required, that is stronger than automatic over-notification.
Edge Cases
- An identity-provider compromise can make normal chat and email untrusted.
- Cyber-insurance policies may require notice before an external IR firm is retained.
- Public cloud providers and SaaS vendors may have separate contractual notice windows.
- A data-exfiltration suspicion may start internal clocks before final impact is known.
Suggested Acceptance Criteria
- Add notification-clock fields to the incident worksheet.
- Add trusted out-of-band communications requirements.
- Add owner/approval checks for external messaging.
- Require evidence for no-notification decisions.
Bounty Info
This is submitted as a skill review bounty claim. Preferred payout: PayPal samik4184@gmail.com.
Skill Being Reviewed
skills/incident-response/ir-playbookReview Focus
The skill covers incident trigger, affected systems, timelines, severity, containment, evidence, escalation, and notification planning. The gap I found is the incident communication clock: teams often know a breach may have notification obligations, but the playbook should force evidence of when legal/regulatory clocks started, who owns them, and which out-of-band channels remain trusted if primary identity or messaging systems are compromised.
Coverage Gap
Please add a communication-clock and trusted-channel check:
False Positive Analysis
Not every SEV-3 needs regulator notification. The review should focus on documented decision quality: if legal counsel records why notice is not required, that is stronger than automatic over-notification.
Edge Cases
Suggested Acceptance Criteria
Bounty Info
This is submitted as a skill review bounty claim. Preferred payout: PayPal
samik4184@gmail.com.