Internal Incident Reporting Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines the internal channel through which any Glassbreak workforce member can raise a suspected security or compliance concern, and how those concerns are triaged. It exists so that a workforce member who notices something is wrong has an unambiguous, low-friction route to report it — with confidence that the report will be acted on and that there will be no retaliation.

This internal channel is distinct from the external disclosure channel at security@glassbreak.io (described in the Coordinated Disclosure Policy), which is for external researchers, customers, and third-party reporters. Workforce members may also use the external channel where appropriate, but this internal channel is the primary route for workforce-originated reports.

2. Scope

  • All workforce members (employees, contractors, advisors, interns).
  • Any suspected security, compliance, or ethics concern relating to Glassbreak or to any party acting on Glassbreak's behalf — including suspected breach of a Glassbreak policy, suspected breach of law in the context of Glassbreak work, suspected misuse of customer data or systems, and suspected pressure to misrepresent Glassbreak's security posture or compliance position.

3. What to report

The following are examples of what falls within this procedure. The list is illustrative, not exhaustive — if in doubt, report.

  • Suspected unauthorised access to customer data, administrative metadata, or audit logs.
  • Suspected tampering with audit log entries or with other tamper-relevant records.
  • Suspected compromise of a workstation, mobile device, hardware key, or any other credential — including own credential.
  • Suspected violation of any published Glassbreak policy, by any workforce member regardless of seniority.
  • Suspected request to bypass a documented control (review, MFA, change-management process, least-privilege restriction).
  • Suspected misrepresentation — to a customer, an auditor, a supervisory authority, or the public — of a Glassbreak security or compliance position.
  • Suspected sub-processor or supplier behaviour that would affect Glassbreak customers (data handling, notification timeliness, security posture).
  • Suspected harassment, discrimination, or unsafe behaviour with a security or compliance component.
  • Any other behaviour the reporter reasonably believes warrants attention.

Reports made in good faith are welcome even where the reporter is uncertain whether the matter is in scope. The Security Officer will decide on triage; the reporter is not expected to make that judgement.

4. How to report

4.1 Primary channel — Security Officer direct line

The Security Officer maintains a direct reporting line published in the workforce handbook. The direct line comprises:

  • A monitored internal email alias, accessible to the Security Officer.
  • A direct messaging route to the Security Officer.
  • A request-for-conversation route — the reporter may request an in-person or video conversation without stating the reason in advance.

The reporter chooses the channel that suits the report. There is no requirement to use any particular channel and no requirement to disclose the channel choice to anyone else.

4.2 Escalation path — when the Security Officer is the subject

Where the concern relates to the Security Officer personally, or to a person to whom the Security Officer reports, the workforce member uses the escalation channel. The escalation channel is:

  • An independent contact identified in the workforce handbook, who is not the Security Officer and is not in the Security Officer's reporting chain. The independent contact may be a non-executive leader, a board observer, or external counsel — Glassbreak publishes the current independent contact and their contact details in the handbook.
  • The independent contact triages the report and, if the concern is substantiated, refers the matter for investigation under the Sanctions & Disciplinary Policy §4 using an investigator independent of the subject.

The escalation channel may also be used at any time by a workforce member who, for any reason, is not comfortable routing a report through the Security Officer.

4.3 What to include

A report is acted on regardless of the level of detail provided. Where the reporter is able, the following information helps triage:

  • What was observed.
  • When and where it was observed.
  • Who was involved, if known.
  • Why the reporter believes the matter is a concern.
  • Any supporting evidence (screenshot, log excerpt, document reference) the reporter can share without compromising the matter.

A report submitted without any of the above is still acted on. The reporter is never required to prove the concern before raising it.

4.4 Anonymous reports

Reports may be submitted anonymously through the independent-contact escalation channel. Anonymous reports are accepted and triaged on the same basis as identified reports; the absence of a reporter identity limits the ability to ask follow-up questions but does not reduce the priority of the report.

5. Triage

5.1 Acknowledgement

  • A report submitted to the Security Officer's direct line is acknowledged to the reporter within 1 business day of receipt, unless the report was submitted anonymously.
  • A report submitted through the escalation channel is acknowledged by the independent contact within 2 business days.
  • The acknowledgement confirms receipt and indicates the next step; it does not require the reporter to do anything.

5.2 Initial assessment

  • The recipient assesses whether the report describes a likely security incident, a likely policy or compliance breach, or another category.
  • Where the report describes a likely security incident, an incident record is opened under the Incident Response Policy within 1 business day of receipt and severity is assigned per IR §3.
  • Where the report describes a likely policy or compliance breach, the matter is investigated under the Sanctions & Disciplinary Policy §4.
  • Where the report describes a matter outside both, it is referred to the appropriate channel (HR, legal, operational) and the reporter is informed of the referral.

5.3 Timing targets

  • Acknowledgement: within 1 business day (Security Officer) or 2 business days (escalation channel).
  • Initial assessment and routing decision: within 5 business days.
  • Status update to the reporter (where identified): at least every 10 business days until the matter is closed or escalation status is communicated.
  • For matters that meet the criteria of a SEV-1 or SEV-2 incident under the IR policy, the IR policy timing targets supersede these.

6. No retaliation

Glassbreak does not tolerate retaliation against any workforce member who raises a concern in good faith under this procedure. The no-retaliation guarantee is set in the Sanctions & Disciplinary Policy §8, where retaliation is explicitly categorised as a Gross violation. The guarantee applies whether the underlying concern is substantiated, unsubstantiated, or remains inconclusive.

A workforce member who believes they have been retaliated against for raising a report under this procedure may report that retaliation through the escalation channel in section 4.2. Investigation follows the Sanctions Policy §4.

7. Confidentiality

  • Reports and the identity of the reporter are handled on a need-to-know basis throughout the triage and investigation.
  • Where the investigation requires disclosure of the reporter's identity (for example, to a witness whose evidence is essential), the reporter is consulted in advance where reasonably possible.
  • Reports filed through the escalation channel may be redacted by the independent contact before being shared with anyone else, to preserve the reporter's position.

8. Records

  • Every report is recorded in the internal-reporting register with date received, recipient, summary, assessment, routing decision, and outcome.
  • Where the report becomes an incident record under the IR policy or a disciplinary investigation under the Sanctions Policy, the internal-reporting register entry is cross-referenced.
  • Records are retained for at least 5 years from closure.

9. Awareness

  • This procedure is covered in the Day 1 security briefing (/policies/onboarding §4.3) and in the annual security-awareness refresher.
  • The current contact details for both the Security Officer direct line and the escalation independent contact are published in the workforce handbook and reviewed at every annual policy review.

10. Review

This procedure is reviewed at least annually and after any report that exposed a weakness in the channel itself (for example, a delay in acknowledgement, an unclear escalation path). The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.