← Governance

Incident Procedure

Runtime governance for NaughtyBits projects · inherits naughtybits-core.md (core v0.1) · v0.1, tracks the core

The project constitution governs whether a project exists. This governs how it behaves once it runs: how harm is caught, and what is owed to a person who reports it. It applies to every admitted project.

1. Internal vetting

Internal vetting exists to catch every problem before it reaches a person. Exhaustiveness is its aim.

Its sufficiency is never assumed, because it inherits the blind spots the core names: priors distorted by the taboo, disgust mistaken for evidence, and the reflex to decide on people's behalf. A process staffed only by the operator and people who reason like the operator reproduces exactly those blind spots. So affected persons sit inside internal vetting, with power over what gets examined and how — not as a panel consulted after the judgment is already made. This is the §4 requirement placed where the catching actually happens.

Internal vetting is built on the assumption that it will still miss things. That assumption is not pessimism; it is the reason the next layer is mandatory rather than ornamental. A gate that believed in its own completeness would have no backstop, and the misses that matter are precisely the ones it cannot see.

2. External vetting

External vetting is standing, not triggered. It does not wait for internal vetting to be seen to fail, because the failures that matter are invisible from inside — if internal knew what it had missed, it would not have missed it. A backstop that fires only when the primary is known to have failed never fires. So external vetting runs whether or not internal believes it caught everything. Its channel terminates at the external body the core constitutes (core §9), not at the entity — that is the structural fact that makes the non-suppressibility below a thing rather than a promise.

Full facilitation is not a contact form and a promise. It is three things, each of which costs the entity something:

• Access. An outside party can obtain what they would need to find a problem the inside could not see — the information itself, not a summary curated by the party being examined.
• Protection. Anyone who reports — an outside reviewer or a user — is protected from retaliation by the project or the entity.
• Non-suppressibility. A finding cannot be killed by the entity the finding is against. The channel does not route through the party with the motive to bury it — it routes to the external body (core §9), which the entity cannot dissolve, override, or starve.

Short of all three, it is not facilitation. It is the word without the thing.

3. When a person reports they have been harmed

The first move is to determine which report this is, because a person reporting personal harm is one of two very different things, and they are owed different responses.

A report is a defect when the platform itself did something wrong to them — a flaw in the machine. A report is a victimization when the harm is someone's conduct against them, meeting the §3 floor: a victim who could not consent, or a predatory use of the platform as the attack.

When it is unclear which, it is treated as a victimization until shown otherwise. The cost of under-reacting to a victimization is borne by a person; the cost of over-reacting to a defect is borne by the entity. The procedure errs toward the person.

Victimization. This is not a customer-service escalation, and "we helped them and we are working on a structural fix" is not an adequate response to a crime in progress. The obligation runs outside the platform: the person is protected, evidence is preserved, and where the conduct meets the floor it is reported to the proper authorities — whether or not that serves the entity. Closing the hole that allowed it is required in addition, never instead.

The preservation pipeline is itself a harm surface, and is governed as one. A store of intimate evidence assembled to protect victims is also a honeypot, and the primitives bind it as they bind everything else: it holds the minimum needed to protect the person and discharge the report to authorities, and nothing retained for the entity's convenience; it is access-controlled to the few who must touch it; it is held only as long as the report requires and then destroyed; and the affected person is told what is held about them and why. Preservation that quietly becomes general surveillance of users — or a second breach waiting to happen — is a defect in the machine the procedure exists to catch, not an exception to it.

Defect. The individual is helped first. Then the harm is resolved structurally — for everyone in their position, not only the one who reported it.

4. Immediacy, and structure over the individual

"Immediately" means on first contact: the person is helped before the cause is understood and before any structural work begins. Diagnosis and design follow the person's safety; they do not precede it.

Structural resolution is the default and the resting state. An individual-only fix is permitted as the interim while the structural one is built, never as the place the response stops. A harm closed for the one who reported it and left open for everyone else is not solved. It is privatized — the externality the core exists to refuse, now hidden behind a single satisfied complaint.

"Interim" is bounded, because an interim with no clock is the same drift the core's anti-ratchet logic exists to refuse — a degree masquerading as handled. Two bounds hold it. Every open interim sits on the standing external-vetting agenda (core §9; §2) and cannot leave it until the structural fix lands — the external body, not the entity, decides when it is closed. And the interim carries a hard ceiling stated in advance by the project: past it, an unclosed interim is itself a reportable defect, escalated as one. The default ceiling, absent a shorter one a project justifies, is ninety days. The cap forces the escalation; the standing agenda makes sure someone outside the entity is watching it expire.