1 Security Risk Register ¶
This registry collects the product's security risks in the ISO 27005 shape: each record names a threat, the vulnerability it exploits, and the mitigation that controls it.
1.1 Scoring ¶
Every record carries the CVSS v3.1 base score of its vulnerability, precomputed from the vector written in its CVSS Vector section. The register surfaces the score unchanged as the CVSS RPN column — a single-input group, no product is computed.
The colour bands follow the CVSS severity boundaries:
| Band | Score | Register colour |
|---|---|---|
| Low | 0.1 – 3.9 | acceptable (green) |
| Medium / High | 4.0 – 8.9 | caution (amber) |
| Critical | 9.0 – 10.0 | unacceptable (red) |
A critical score blocks the release until the mitigation lands; scores in the caution band are worked in severity order.
1.2 Lifecycle ¶
Records move through Identified, Analysed, Mitigating, Accepted, and Closed. Every record whose current status is not Closed counts as open in the registries summary.
| # | Title | Threat | Vulnerability | Mitigation | Affected Documents | Status | CVSS RPN |
|---|---|---|---|---|---|---|---|
| SECR-001 | SQL Injection in Search | An unauthenticated attacker reads or alters the entire database through crafted search input. |
The search endpoint concatenates the user-supplied term into the SQL statement instead of binding it as a parameter. |
Replace the string concatenation with parameterised queries across the data layer and add a negative test suite of injection payloads to the build. |
REQ-010, REQ-011, REQ-012 | Mitigating | 9.8 |
| SECR-002 | Vulnerable Third-Party Dependencies | An attacker exploits a publicly known vulnerability in one of the product's outdated third-party libraries. |
Dependencies are pinned once per release and never rescanned; the current lock file contains libraries with published advisories. |
Add a dependency audit to the build that fails on any advisory at High or above, and schedule a monthly update window for the rest. |
Analysed | 8.1 | |
| SECR-003 | Brute-Forceable Passwords | An attacker gains a user account by trying common passwords against the login endpoint. |
No password policy is enforced and the login endpoint neither rate-limits nor locks out repeated failures. |
Not yet defined; candidate controls are a minimum-length policy checked against a breached-password list, and exponential back-off on failed logins. |
Identified | 7.5 | |
| SECR-004 | Stack Traces in Error Pages | An attacker maps the product's internals — framework versions, file paths, query shapes — from the diagnostic detail leaked in error responses. |
Unhandled exceptions return the full stack trace to the client when the deployment flag is left in development mode. |
Accepted for this release with a compensating control: the deployment checklist verifies the production flag, and error responses are sampled in the smoke test. A framework-level generic error page is scheduled for the next release. |
Accepted | 5.3 | |
| SECR-005 | Clickjacking on Settings Page | An attacker overlays the settings page in a hidden frame and tricks a logged-in user into clicking a destructive control. |
The application served no frame-ancestors policy, so any site could embed it. |
Shipped: the frame-ancestors content-security policy denies all embedding, and the smoke test asserts the header on every page. |
Closed | 3.1 |