From 78035fba12e9271d13945510564b28eaa4876655 Mon Sep 17 00:00:00 2001
From: Artemis <artemisclaw82@gmail.com>
Date: Mon, 16 Feb 2026 23:50:49 +0000
Subject: [PATCH 1/3] content(governance): add Security Council Best Practices
 page

Based on OpenZeppelin's 'From Stage 0 to Stage 1' guide by Bram Hoogenkamp
and Michael Lewellen. Covers council formation, multi-sig setup, incident
response, governance integration, and readiness drills.

Closes #109
---
 .../governance/council-best-practices.mdx     | 375 ++++++++++++++++++
 docs/pages/governance/index.mdx               |   1 +
 docs/pages/governance/overview.mdx            |   1 +
 vocs.config.tsx                               |   1 +
 4 files changed, 378 insertions(+)
 create mode 100644 docs/pages/governance/council-best-practices.mdx

diff --git a/docs/pages/governance/council-best-practices.mdx b/docs/pages/governance/council-best-practices.mdx
new file mode 100644
index 00000000..2f443b0d
--- /dev/null
+++ b/docs/pages/governance/council-best-practices.mdx
@@ -0,0 +1,375 @@
+---
+title: "Security Council Best Practices | Security Alliance"
+description: "Establish effective Security Councils for rollup governance with best practices covering formation, incident response, multi-sig setup, governance integration, and readiness drills."
+tags:
+  - Operations & Strategy
+  - Legal & Compliance
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Security Council Best Practices in Rollup Governance
+
+<TagList tags={frontmatter.tags} />
+
+> **Attribution**: This section is based on [From Stage 0 to Stage 1: Security Council Best Practices in Rollup Governance](https://www.openzeppelin.com/news/security-council-best-practices-guide) by [OpenZeppelin](https://www.openzeppelin.com), authored by Bram Hoogenkamp and Michael Lewellen.
+
+Security Councils serve as specialized governance bodies that act as the final line of defense against exploits, governance attacks, and systemic failures in decentralized protocols. This guide outlines best practices for establishing and operating effective Security Councils, particularly for rollup governance frameworks.
+
+## Understanding Security Councils
+
+Security Councils are designated groups with elevated permissions to respond to emergencies and protect protocol integrity. Their core responsibilities include:
+
+- **Threat Identification**: Monitoring for emerging security vulnerabilities and attack vectors
+- **Emergency Response**: Coordinating rapid actions such as pausing operations or deploying emergency patches
+- **Protocol Stewardship**: Conducting routine security reviews and maintaining long-term protocol health
+- **Risk Mitigation**: Implementing preventive measures before threats materialize
+
+Unlike traditional governance bodies focused on feature development and parameter adjustments, Security Councils specialize in crisis management and defensive operations.
+
+## Formation and Timing
+
+### When to Establish a Security Council
+
+Security Councils should be formed once protocols achieve sufficient maturity:
+
+**Prerequisites:**
+- Clear governance structures with defined decision-making processes
+- Documented operational standards and security procedures
+- Active community participation and stakeholder engagement
+- Identified security risks requiring specialized oversight
+
+**Timing Considerations:**
+- **Too early**: Creates unnecessary overhead when protocols lack complexity requiring Council intervention
+- **Too late**: Leaves protocols vulnerable during crisis situations without established response frameworks
+- **Optimal window**: When transitioning from Stage 0 to Stage 1 in rollup maturity, or when governance attack surface increases significantly
+
+Regular reviews ensure the Council's structure remains aligned with evolving protocol risks and governance requirements.
+
+## Key Roles and Responsibilities
+
+### Member Composition
+
+Effective Security Councils balance diverse expertise:
+
+**Technical Security Expertise:**
+- Smart contract security and auditing experience
+- Cryptography and protocol design knowledge
+- Infrastructure and operational security backgrounds
+
+**Crisis Management Experience:**
+- Proven incident response capabilities
+- Decision-making under pressure
+- Communication during emergencies
+
+**Legal and Compliance Knowledge:**
+- Understanding of regulatory requirements
+- Risk assessment frameworks
+- Documentation and transparency standards
+
+### Selection and Governance
+
+**Transparent Selection Process:**
+- Community-driven nominations and voting
+- Public disclosure of selection criteria
+- Documented qualifications and conflict-of-interest policies
+
+**Term Limits and Rotation:**
+- Fixed term lengths (typically 6-12 months)
+- Staggered rotations to maintain institutional knowledge
+- Clear succession planning
+
+### Service Level Agreements (SLAs)
+
+Establish explicit commitments defining:
+- Emergency response times (e.g., acknowledge critical threats within 1 hour)
+- Upgrade review periods (e.g., evaluate proposed changes within 48 hours)
+- Communication requirements during incidents
+- Availability expectations for Council members
+
+## Multi-Sig Setup and Custody
+
+### Configuration Models
+
+**Individual EOA Signers:**
+- Simple setup with each member controlling a single externally owned account
+- Suitable for smaller Councils with high trust requirements
+- Vulnerable to individual key compromise
+
+**Safe-of-Safes Architecture:**
+- Member organizations maintain their own multi-signature wallets
+- Council multi-sig requires signatures from multiple member Safes
+- Reduces single-key compromise risk
+- Increases operational complexity
+
+### Security Best Practices
+
+**Key Management:**
+- Use hardware wallets exclusively for Council signing operations
+- Maintain dedicated accounts solely for Security Council actions
+- Avoid casual backup copies that increase compromise surface area
+- Store hardware wallets in secure physical locations (safes, safety deposit boxes)
+
+**Threshold Configuration:**
+- Balance accessibility with security (common: 4-of-6, 5-of-7)
+- Consider time-sensitivity requirements for emergency responses
+- Document threshold justifications and review periodically
+
+**Key Rotation:**
+- Rotate signing keys 3-4 times annually minimum
+- Establish rotation procedures during member transitions
+- Test rotation processes before emergency situations
+
+### Liveness and Accountability
+
+**Example: Optimism's LivenessGuard**
+
+Optimism's Security Council implements a LivenessGuard Safe Module that automatically removes inactive members while preserving security thresholds. This mechanism:
+- Tracks member signing activity over defined periods
+- Prevents governance deadlocks from unavailable signers
+- Maintains operational continuity during emergencies
+- Creates accountability through transparent activity metrics
+
+## Incident Response
+
+### Response Framework
+
+Effective incident response follows structured phases:
+
+**1. Detection**
+- Automated monitoring systems for on-chain anomalies
+- Community reporting channels
+- Threat intelligence feeds
+- Internal security audits
+
+**2. Assessment**
+- Severity classification using predefined criteria
+- Impact analysis across protocol components
+- Likelihood evaluation based on threat intelligence
+- Scope definition to prevent mission creep
+
+**3. Action**
+- Automated pausing mechanisms for critical vulnerabilities
+- Manual intervention for complex situations
+- Emergency upgrade procedures with defined approval thresholds
+- Coordination with broader DAO governance when appropriate
+
+**4. Communication**
+- Rapid notification to stakeholders via established channels
+- Single source of truth during incidents (avoid conflicting information)
+- Transparent disclosure of publicly-safe information
+- Reserved communication of sensitive details requiring investigation
+
+**5. Resolution and Postmortem**
+- Public incident reports documenting response timeline
+- Corrective actions and prevention measures
+- Council performance evaluation
+- Lessons learned integration into procedures
+
+### Emergency Classification
+
+Define emergency categories before crises occur using a decision matrix:
+
+| Severity | Likelihood | Examples | Response |
+|----------|-----------|----------|----------|
+| Critical | High | Active exploit draining funds | Immediate pause, emergency upgrade |
+| Critical | Low | Theoretical attack requiring coordination | Accelerated review, preventive measures |
+| Medium | High | Governance manipulation attempt | Enhanced monitoring, parameter adjustments |
+| Medium | Low | Potential future vulnerability | Standard review process |
+| Low | Any | Minor UI bugs, documentation issues | Normal operations, no Council action |
+
+### Automated vs. Manual Pausing
+
+**Automated Mechanisms:**
+- Trigger-based responses to predefined conditions
+- Faster response times for known attack patterns
+- Reduced human error during high-stress situations
+- Risk of false positives disrupting operations
+
+**Manual Intervention:**
+- Required for complex situations requiring judgment
+- Allows contextual assessment before action
+- Slower response times
+- Potential for delayed response during off-hours
+
+Optimal approaches combine automated detection with manual authorization for critical actions.
+
+### Communication During Incidents
+
+**Immediate Disclosure:**
+- Confirm incident detection and Council activation
+- Provide high-level impact assessment
+- Share mitigation actions taken
+- Set expectations for updates
+
+**Reserved Information:**
+- Exploit technical details while vulnerability remains
+- Ongoing investigation findings
+- Internal deliberation processes
+- Attribution to specific actors (until confirmed)
+
+**Post-Incident Transparency:**
+- Full timeline documentation
+- Technical root cause analysis
+- Effectiveness of response measures
+- Preventive measures for future incidents
+
+## Governance Integration
+
+Security Councils must operate within broader DAO governance frameworks:
+
+### Escalation Paths
+
+Define clear conditions requiring DAO approval:
+- Non-emergency protocol upgrades
+- Changes to Council powers or composition
+- Parameter modifications outside emergency scope
+- Major architectural changes
+
+**Example Decision Tree:**
+```
+Is immediate action required to prevent loss of funds?
+├─ Yes → Security Council emergency authority
+└─ No → Does change affect core protocol economics?
+    ├─ Yes → Full DAO governance process
+    └─ No → Council review with timelock
+```
+
+### Power Boundaries
+
+Establish explicit limits on Council authority:
+- Maximum funds accessible without DAO approval
+- Types of contract modifications permitted
+- Duration of emergency measures before review
+- Geographic or jurisdictional restrictions
+
+Regular parameter reviews ensure powers remain proportional to evolving risks.
+
+### Cross-Protocol Collaboration
+
+Security Councils benefit from coordinated efforts:
+
+**Shared Monitoring Infrastructure:**
+- Joint threat intelligence networks
+- Collaborative vulnerability disclosure
+- Cross-protocol security audits
+- Coordinated response to ecosystem-wide threats
+
+**Industry Partnerships:**
+- SEAL 911 emergency war room access for crisis coordination
+- SEAL Drill Templates for standardized readiness testing
+- Shared postmortem analysis across protocols
+- Collective security research initiatives
+
+**Example: 2023 Oracle Attack Simulation**
+
+OpenZeppelin and Compound Labs conducted a simulated oracle attack exercise:
+- Automated detection tools identified price manipulation
+- Coordinated response roles between security teams
+- Communication protocols tested under simulated pressure
+- Lessons learned documented for industry benefit
+
+## Readiness Drills and Maintenance
+
+### Operational Preparedness
+
+**Scheduled Drills:**
+- Quarterly incident response simulations
+- Annual key rotation exercises
+- Semi-annual communication tests
+- Scenario-based tabletop exercises
+
+**Unannounced Liveness Tests:**
+- Random signing requirement notifications
+- Response time monitoring
+- Member availability verification
+- Backup communication channel validation
+
+**Travel and Availability Policies:**
+- Physical security protocols during travel
+- Backup signer designation during planned absence
+- Geographic distribution requirements
+- Redundant access to signing infrastructure
+
+### Documentation Standards
+
+**Public Transparency:**
+- Member identities and qualifications
+- Selection criteria and processes
+- Term lengths and rotation schedules
+- Voting thresholds and quorum requirements
+- Response-time SLAs
+- High-level incident response framework
+- Upgrade procedures
+
+**Private Records:**
+- Detailed drill results and performance metrics
+- Internal decision logs for continuous improvement
+- Sensitive security assessments
+- Confidential communications during incidents
+
+**Living Documentation:**
+- Regular updates reflecting lessons learned
+- Version control for procedural changes
+- Accessibility for new members
+- Community feedback integration
+
+### Continuous Improvement
+
+Security Councils should evolve through:
+- Post-drill retrospectives identifying gaps
+- Regular security landscape assessments
+- Member feedback on operational challenges
+- Community input on Council effectiveness
+- Benchmark comparisons with other protocols
+
+## Integration with SEAL Resources
+
+Security Councils can leverage existing SEAL infrastructure:
+
+**SEAL 911 War Rooms:**
+- Emergency coordination channels for active incidents
+- Expert assistance during crises
+- Cross-protocol collaboration facilities
+- See [SEAL 911 War Room Guidelines](/incident-management/playbooks/seal-911-war-room-guidelines)
+
+**SEAL Drill Templates:**
+- Standardized scenario testing frameworks
+- Documented best practices from industry incidents
+- Tabletop exercise materials
+- Performance metrics for readiness assessment
+
+**Incident Management Playbooks:**
+- Response procedures for common attack vectors
+- Communication templates
+- Escalation frameworks
+- See [Incident Management](/incident-management/overview)
+
+## Best Practices Summary
+
+1. **Establish clear prerequisites** before forming Security Councils to avoid premature overhead
+2. **Balance diverse expertise** across technical security, crisis management, and compliance domains
+3. **Implement robust key management** with hardware wallets, rotation schedules, and liveness mechanisms
+4. **Define emergencies explicitly** using severity matrices before crises occur
+5. **Maintain transparent communication** with predefined channels and disclosure protocols
+6. **Integrate with DAO governance** through clear escalation paths and power boundaries
+7. **Conduct regular drills** combining scheduled exercises and unannounced tests
+8. **Document thoroughly** with public transparency and private operational records
+9. **Collaborate across protocols** through shared monitoring and threat intelligence
+10. **Continuously improve** based on drills, incidents, and community feedback
+
+## Additional Resources
+
+- [OpenZeppelin Security Council Best Practices Guide](https://www.openzeppelin.com/news/security-council-best-practices-guide)
+- [Incident Management Framework](/incident-management/overview)
+- [SEAL 911 War Room Guidelines](/incident-management/playbooks/seal-911-war-room-guidelines)
+- [Multisig for Protocols](/multisig-for-protocols/overview)
+- [Risk Management](/governance/risk-management)
+
+---
+
+</TagProvider>
+<ContributeFooter />
diff --git a/docs/pages/governance/index.mdx b/docs/pages/governance/index.mdx
index 62fe29ec..34d819dd 100644
--- a/docs/pages/governance/index.mdx
+++ b/docs/pages/governance/index.mdx
@@ -15,3 +15,4 @@ title: "Governance"
 - [Compliance & Regulatory Requirements](/governance/compliance-regulatory-requirements)
 - [Risk Management](/governance/risk-management)
 - [Security Metrics & KPIs](/governance/security-metrics-kpis)
+- [Security Council Best Practices](/governance/council-best-practices)
diff --git a/docs/pages/governance/overview.mdx b/docs/pages/governance/overview.mdx
index 0a321408..1424eb5b 100644
--- a/docs/pages/governance/overview.mdx
+++ b/docs/pages/governance/overview.mdx
@@ -25,6 +25,7 @@ governance in your project.
 1. [Compliance with Regulatory Requirements](/governance/compliance-regulatory-requirements)
 2. [Risk Management](/governance/risk-management)
 3. [Security Metrics and KPIs](/governance/security-metrics-kpis)
+4. [Security Council Best Practices](/governance/council-best-practices)
 
 ---
 
diff --git a/vocs.config.tsx b/vocs.config.tsx
index 78a1a8e3..44541c3e 100644
--- a/vocs.config.tsx
+++ b/vocs.config.tsx
@@ -292,6 +292,7 @@ const config = {
             { text: 'Compliance with Regulatory Requirements', link: '/governance/compliance-regulatory-requirements', dev: true },
             { text: 'Risk Management', link: '/governance/risk-management', dev: true },
             { text: 'Security Metrics and KPIs', link: '/governance/security-metrics-kpis', dev: true },
+            { text: 'Security Council Best Practices', link: '/governance/council-best-practices', dev: true },
           ]
         },
         {

From fb59ad346277724c39ef4d19e254b7d7ef8194e2 Mon Sep 17 00:00:00 2001
From: Artemis <artemisclaw82@gmail.com>
Date: Tue, 24 Feb 2026 05:41:47 +0000
Subject: [PATCH 2/3] =?UTF-8?q?fix(council):=20correct=20LivenessGuard?=
 =?UTF-8?q?=E2=86=92LivenessModule=20terminology,=20fix=20wargame=20simula?=
 =?UTF-8?q?tion=20year?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/pages/governance/council-best-practices.mdx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/pages/governance/council-best-practices.mdx b/docs/pages/governance/council-best-practices.mdx
index 2f443b0d..28d849b6 100644
--- a/docs/pages/governance/council-best-practices.mdx
+++ b/docs/pages/governance/council-best-practices.mdx
@@ -125,9 +125,9 @@ Establish explicit commitments defining:
 
 ### Liveness and Accountability
 
-**Example: Optimism's LivenessGuard**
+**Example: Optimism's LivenessModule**
 
-Optimism's Security Council implements a LivenessGuard Safe Module that automatically removes inactive members while preserving security thresholds. This mechanism:
+Optimism's Security Council implements a LivenessModule (a Safe module) that automatically removes inactive members while preserving security thresholds. This mechanism:
 - Tracks member signing activity over defined periods
 - Prevents governance deadlocks from unavailable signers
 - Maintains operational continuity during emergencies
@@ -264,7 +264,7 @@ Security Councils benefit from coordinated efforts:
 - Shared postmortem analysis across protocols
 - Collective security research initiatives
 
-**Example: 2023 Oracle Attack Simulation**
+**Example: Compound Wargame Simulation**
 
 OpenZeppelin and Compound Labs conducted a simulated oracle attack exercise:
 - Automated detection tools identified price manipulation

From d84bc8ba6b226ff9f9c558cfb9ab3bc3e4a9c6d7 Mon Sep 17 00:00:00 2001
From: Artemis <artemisclaw82@gmail.com>
Date: Sun, 1 Mar 2026 04:30:24 +0000
Subject: [PATCH 3/3] fix: correct LivenessGuard name and Compound wargame
 attribution

- Optimism uses LivenessGuard (not LivenessModule), added link to specs
- Compound wargame was conducted by SEAL Chaos Team, OpenZeppelin, and Compound Labs
- Added specific simulation details from source: 28% WETH price inflation, $650K risk
- All content verified against OpenZeppelin source article
---
 docs/pages/governance/council-best-practices.mdx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/pages/governance/council-best-practices.mdx b/docs/pages/governance/council-best-practices.mdx
index 28d849b6..c6627568 100644
--- a/docs/pages/governance/council-best-practices.mdx
+++ b/docs/pages/governance/council-best-practices.mdx
@@ -125,9 +125,9 @@ Establish explicit commitments defining:
 
 ### Liveness and Accountability
 
-**Example: Optimism's LivenessModule**
+**Example: Optimism's LivenessGuard**
 
-Optimism's Security Council implements a LivenessModule (a Safe module) that automatically removes inactive members while preserving security thresholds. This mechanism:
+Optimism's Security Council implements a [LivenessGuard](https://specs.optimism.io/protocol/safe-extensions.html#the-liveness-module) (a Safe module) that automatically removes inactive members while preserving security thresholds. This mechanism:
 - Tracks member signing activity over defined periods
 - Prevents governance deadlocks from unavailable signers
 - Maintains operational continuity during emergencies
@@ -266,7 +266,7 @@ Security Councils benefit from coordinated efforts:
 
 **Example: Compound Wargame Simulation**
 
-OpenZeppelin and Compound Labs conducted a simulated oracle attack exercise:
+The SEAL Chaos Team, OpenZeppelin, and Compound Labs conducted a simulated oracle attack exercise (2023). The SEAL Chaos Team simulated a rogue oracle inflating WETH prices by 28%, risking a $650K USDC drain from Compound's Comet pool:
 - Automated detection tools identified price manipulation
 - Coordinated response roles between security teams
 - Communication protocols tested under simulated pressure