Risk Register
Version: 1.0 · Last review: July 14, 2026 · Owner: Security Lead Cadence: Reviewed monthly; each risk re-scored at least annually.
Scoring
- Likelihood (L): 1 Rare · 2 Unlikely · 3 Possible · 4 Likely · 5 Almost certain
- Impact (I): 1 Negligible · 2 Minor · 3 Moderate · 4 Major · 5 Severe
- Score = L × I. Treatment threshold: ≥ 12 = Priority.
- Treatment: Mitigate · Transfer · Avoid · Accept
| ID | Risk | Category | L | I | Score | Owner | Treatment | Mitigation / Control | Status |
| --- | --- | --- | :-: | :-: | :-: | --- | --- | --- | --- |
| R-01 | Multi-tenant data leak via missing/incorrect RLS policy | Data | 2 | 5 | 10 | Eng Lead | Mitigate | RLS enforced + CI test roles_and_rls.sql; peer review on any policy change | Open · Monitored |
| R-02 | Credential stuffing against /login | Access | 4 | 4 | 16 | Security | Mitigate | HIBP check, rate-limit bucket, MFA available, security_events alerts | Priority |
| R-03 | Privilege escalation via user_roles self-insert | Access | 2 | 5 | 10 | Eng Lead | Mitigate | WITH CHECK policy + trigger; only service role can grant | Open · Monitored |
| R-04 | Vulnerable npm dependency in prod bundle | Supply chain | 4 | 4 | 16 | Eng Lead | Mitigate | Weekly bun audit in CI; Dependabot; monthly review | Priority |
| R-05 | Stripe webhook forgery / replay | Payments | 2 | 5 | 10 | Eng Lead | Mitigate | HMAC signature verify + idempotency key on /api/public/webhooks/stripe | Open · Monitored |
| R-06 | Service-role key leaked via client bundle | Secrets | 2 | 5 | 10 | Eng Lead | Mitigate | Import guard blocks client.server.ts from client graph; secret in Cloudflare env only | Open · Monitored |
| R-07 | Data loss / DB corruption | Availability | 2 | 5 | 10 | Ops | Mitigate + Transfer | Supabase daily PITR (7 d) + 30 d snapshot; RTO 4 h / RPO 24 h; restore drill every 6 mo | Open · Monitored |
| R-08 | Third-party AI provider outage (Lovable AI, Grok, IC canister) | Vendor | 4 | 3 | 12 | Eng Lead | Mitigate | Multi-provider fallback (Grok → oracle-ai-v2 → cached response) | Priority |
| R-09 | Prompt injection / model jailbreak via user-supplied photos or text | AI | 4 | 3 | 12 | Eng Lead | Mitigate | System-prompt guardrails, output validation, no tool-call side effects without confirmation | Priority |
| R-10 | Insider misuse of admin console | People | 2 | 4 | 8 | Security | Mitigate | Only 2 owners; every action written to audit_logs; quarterly access review | Open · Monitored |
| R-11 | GDPR / CCPA non-compliance from delayed DSAR fulfilment | Legal | 3 | 4 | 12 | Security | Mitigate | 30-day SLA tracked in audit_logs; /data-deletion self-serve | Priority |
| R-12 | DDoS on public marketing + auth endpoints | Availability | 3 | 3 | 9 | Ops | Transfer | Cloudflare WAF + rate limiting; auto-scale SSR workers | Open · Monitored |
Change log
- 2026-07-14 — Register created; 12 risks scored. R-02, R-04, R-08, R-09, R-11 flagged Priority.
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.