Documents  Decision Records  Risks Security Risk Register

1 Security Risk Register

This registry collects the product's security risks in the ISO 27005 shape: each record names a threat, the vulnerability it exploits, and the mitigation that controls it.

1.1 Scoring

Every record carries the CVSS v3.1 base score of its vulnerability, precomputed from the vector written in its CVSS Vector section. The register surfaces the score unchanged as the CVSS RPN column — a single-input group, no product is computed.

The colour bands follow the CVSS severity boundaries:

Band Score Register colour
Low 0.1 – 3.9 acceptable (green)
Medium / High 4.0 – 8.9 caution (amber)
Critical 9.0 – 10.0 unacceptable (red)

A critical score blocks the release until the mitigation lands; scores in the caution band are worked in severity order.

1.2 Lifecycle

Records move through Identified, Analysed, Mitigating, Accepted, and Closed. Every record whose current status is not Closed counts as open in the registries summary.

# Title Threat Vulnerability Mitigation Affected Documents Status CVSS RPN
SECR-001 SQL Injection in Search

An unauthenticated attacker reads or alters the entire database through crafted search input.

The search endpoint concatenates the user-supplied term into the SQL statement instead of binding it as a parameter.

Replace the string concatenation with parameterised queries across the data layer and add a negative test suite of injection payloads to the build.

REQ-010, REQ-011, REQ-012 Mitigating 9.8
SECR-002 Vulnerable Third-Party Dependencies

An attacker exploits a publicly known vulnerability in one of the product's outdated third-party libraries.

Dependencies are pinned once per release and never rescanned; the current lock file contains libraries with published advisories.

Add a dependency audit to the build that fails on any advisory at High or above, and schedule a monthly update window for the rest.

Analysed 8.1
SECR-003 Brute-Forceable Passwords

An attacker gains a user account by trying common passwords against the login endpoint.

No password policy is enforced and the login endpoint neither rate-limits nor locks out repeated failures.

Not yet defined; candidate controls are a minimum-length policy checked against a breached-password list, and exponential back-off on failed logins.

Identified 7.5
SECR-004 Stack Traces in Error Pages

An attacker maps the product's internals — framework versions, file paths, query shapes — from the diagnostic detail leaked in error responses.

Unhandled exceptions return the full stack trace to the client when the deployment flag is left in development mode.

Accepted for this release with a compensating control: the deployment checklist verifies the production flag, and error responses are sampled in the smoke test. A framework-level generic error page is scheduled for the next release.

Accepted 5.3
SECR-005 Clickjacking on Settings Page

An attacker overlays the settings page in a hidden frame and tricks a logged-in user into clicking a destructive control.

The application served no frame-ancestors policy, so any site could embed it.

Shipped: the frame-ancestors content-security policy denies all embedding, and the smoke test asserts the header on every page.

Closed 3.1