Risk register (customer-shareable)¶
✓ This document is safe to share with customers, partners, and auditors. Sensitive details — file paths, line numbers, repro steps, proof-of-concept exploits — live in
docs/security/internal/and are not exposed here.
Audience. Compliance, customer success, partner integrations, due-diligence requests.
Scope. Risks tracked across the Evospin platform: backend services, websocket layer, public-facing player site, internal admin panel, supporting infrastructure.
Severity rubric. Critical (exploitable without authentication or causing financial loss), High (authenticated exploit or privilege escalation), Medium (information disclosure or feature-scoped denial-of-service), Low (defense-in-depth, hygiene, maintainability). CVSS v3.1 used where assignable.
Status legend. Mitigated (fix landed in production and verified) · In Progress (under active remediation, ETA below) · Accepted (risk acknowledged, no fix planned for this period — compensating control documented) · Wontfix (intentional behavior; documented exception).
Summary¶
| Severity | Open | In progress | Mitigated | Accepted |
|---|---|---|---|---|
| Critical | 0 | 3 | 0 | 0 |
| High | 2 | 7 | 1 | 0 |
| Medium | 5 | 4 | 0 | 2 |
| Low | 13 | 5 | 0 | 5 |
| Total | 20 | 19 | 1 | 7 |
Counts reflect the active register at the date of the latest doc-version. The full revision trail with file paths, line numbers, repro steps, and proof-of-concept material is available on request under NDA.
Risk register¶
Critical¶
| ID | Title | Affected component | Status | Planned | Customer impact |
|---|---|---|---|---|---|
| SR-001 | Authentication missing on a bet-detail read path | Bet history subsystem | In Progress | Q2-2026 | A bet's full result detail could be read without logging in. Mitigated by short-lived bet identifiers and active monitoring; long-term fix pending. |
| SR-002 | Wallet transfer can drive primary balance below zero | Wallet subsystem | In Progress | Q2-2026 | A user could transfer more than they hold between wallet sub-accounts. Compensating monitor in place; structural fix in flight. |
| SR-003 | Promotional-code claim endpoint not reachable | Promotions subsystem | In Progress | Q2-2026 | Players cannot redeem promo codes via the front-end claim button. No security exposure; functional defect classified Critical because of revenue impact. |
High¶
| ID | Title | Affected component | Status | Planned | Customer impact |
|---|---|---|---|---|---|
| SR-004 | Privileged role bypasses second-factor on admin actions | Admin authentication | In Progress | Q2-2026 | A pre-existing super-administrator account can act without MFA. No customer accounts affected; mitigation: super-admin enrollment locked behind change-management. |
| SR-005 | Bet-detail endpoint does not enforce per-user ownership | Bet history subsystem | In Progress | Q2-2026 | Even after authentication is restored (SR-001), one player could read another player's bet detail by guessing an identifier. Fixed alongside SR-001. |
| SR-006 | Cached bet-detail keying can leak across short-lived state | Bet history subsystem | In Progress | Q2-2026 | A narrow timing window exists where stale bet data is returned. Cache TTL kept short as compensating control. |
| SR-007 | Concurrent duplicate-bet detection returns generic error | Bet pipeline | In Progress | Q3-2026 | A duplicate-bet conflict returns a non-descriptive error to the client. Database-level constraint prevents data corruption. |
| SR-008 | Provably-fair seed-rotation race under lock expiry | Bet pipeline | In Progress | Q3-2026 | Theoretical fairness-integrity race under specific concurrent-load conditions. Defense-in-depth control in code; structural fix planned. |
| SR-009 | Wallet balance lacks a database-level non-negative constraint | Wallet subsystem | In Progress | Q2-2026 | Application-level guards prevent negative balances; missing schema-level safety net is being added. |
| SR-010 | Internal admin-broker route lacks an HTTP guard | Admin/back-office | In Progress | Q2-2026 | A specific deprecated internal endpoint can be reached with a generic token. Connectivity is already restricted by network policy; route is being deleted. |
| SR-011 | Shared signing secret between email-verify and password-reset flows | Authentication | In Progress | Q2-2026 | A leak of one signing secret would compromise both flows. Mitigation: secret rotation policy and HSM-protected storage. |
| SR-012 | Password-reset token reusable within validity window | Authentication | In Progress | Q2-2026 | A reset token can be replayed during its lifetime. Mitigated by short TTL; one-shot enforcement in flight. |
| SR-013 | Existing sessions persist after password reset | Authentication | Mitigated | (validated) | Now invalidates all sessions on reset. |
Medium¶
| ID | Title | Affected component | Status | Planned | Customer impact |
|---|---|---|---|---|---|
| SR-014 | Login-flow timing oracle enables registered-email enumeration | Authentication | In Progress | Q3-2026 | An attacker can probe whether an email is registered. No password material exposed. |
| SR-015 | Rate-limit lockout window does not escalate on repeat offenders | Authentication | In Progress | Q3-2026 | An attacker who waits out the lockout gets a fresh attempt budget. No account compromise possible without password knowledge. |
| SR-016 | Login DTO validation does not bound payload sizes | Authentication | Open | Q3-2026 | Oversized request payloads consume slightly more CPU. Edge / WAF caps requests at the load-balancer. |
| SR-017 | Per-event linear scan over all websocket connections | Real-time delivery | Open | Q3-2026 | At >1k concurrent connections, balance-update fan-out costs scale linearly. Affects internal latency only. |
| SR-018 | Deprecated admin-broker endpoint hangs before failing | Admin/back-office | In Progress | Q2-2026 | Deprecated endpoint times out before returning. Same surface as SR-010. |
| SR-019 | Password-reset email cooldown channel leaks email status | Authentication | Open | Q3-2026 | Cooldown response timing reveals whether an email is registered. |
| SR-020 | Sign-up race on duplicate email returns 500 instead of 400 | Authentication | Open | Q3-2026 | Incorrect HTTP status under race; a bot could fingerprint live users. |
| SR-021 | Local-dev CAPTCHA bypass available with a magic token | Authentication | Accepted | — | Documented developer-experience affordance; production never sees it because the env-flag cannot be set in production. |
| SR-022 | Abandoned blackjack hand can lock funds indefinitely | Game: blackjack | Open | Q3-2026 | A player who abandons mid-hand has funds tied up until staff intervention. Operational compensating control. |
| SR-023 | Deferred-cancellation comparison misuses a date method | Promotions | Open | Q3-2026 | A secondary cancellation path is dead; primary path works. |
| SR-024 | Single-concurrency game queue can deadlock on retry exhaustion | Game: speed roulette | Open | Q3-2026 | A failed background job can stall further rounds until a worker restart. Watchdog under design. |
| SR-025 | Cross-service trace propagation blocked by 4 stacked defects | Observability/Admin panel | In Progress | Q2-2026 | Internal trace continuity gap between admin panel and the API. No customer impact. |
| SR-026 | Inter-service Redis-pub/sub does not propagate trace context | Observability | Accepted | — | Internal observability gap only; no customer impact. |
Low¶
| ID | Title | Affected component | Status | Planned | Customer impact |
|---|---|---|---|---|---|
| SR-030 | Per-instance socket map prevents horizontal scaling of real-time | Real-time delivery | In Progress | Q3-2026 | Currently runs as a single instance; horizontal-scale work in flight. |
| SR-031 | Settle-side-effects queue has no replay on Redis outage | Bet pipeline | Open | Q4-2026 | Rare-event side-effects could be lost during a Redis incident. |
| SR-032 | Bet-status filter lacks a covering index | Bet history | Open | Q3-2026 | Power-user history queries are slower than necessary. |
| SR-033 | Sportsbook bets hidden by a hard-coded filter | Bet history | Open | Q3-2026 | Sportsbook bets do not appear in bet history listing. Sportsbook is currently not exposed to customers. |
| SR-034 | No HTTP cache on the wallet-balance read | Wallet | Open | Q3-2026 | Hot-path latency higher than necessary; no functional impact. |
| SR-035 | Transaction ledger only available via real-time channel | Wallet | Open | Q3-2026 | Polling-style integrations need to use the real-time channel. |
| SR-036 | FX rate is request-time, not row-stamped | Wallet | Open | Q3-2026 | USD-equivalent display drifts with FX between rows; ledger truth uses native currency. |
| SR-037 | Test currency indistinguishable from mainnet currency at the API layer | Wallet | Open | Q4-2026 | Affects internal testing UX only; production data is segregated by tenant. |
| SR-038 | Feature flag inlined per handler instead of guarded centrally | Leaderboard | Open | Q4-2026 | Maintainability; no functional impact. |
| SR-039 | Dead leaderboard producer | Leaderboard | Open | Q4-2026 | Dead code; pending deletion. |
| SR-040 | Leaderboard worker missing observability span | Leaderboard | Open | Q4-2026 | Internal visibility only. |
| SR-041 | Per-process leaderboard cache can serve up-to-60s stale data | Leaderboard | Accepted | — | Documented staleness budget. |
| SR-042 | Daily race scheduler bootstraps once at process start | Leaderboard | Open | Q3-2026 | A race may stay active past midnight if no restart occurred. Manual close in operational runbook. |
| SR-043 | Admin-side bet listing not parallelized | Admin/back-office | Open | Q4-2026 | Admin listing is slower than the player-side analog. |
| SR-044 | No admin endpoint for bet adjust/void/rollback | Admin/back-office | Accepted | — | Corrections issued via balance-adjustment endpoint by design. |
| SR-045 | Pagination response lacks aggregate fields | Admin/back-office | Open | Q4-2026 | Aggregates served by a separate dashboard endpoint; UX nit. |
| SR-046 | Admin audit-log filter scopes by actor, not target | Admin/back-office | Open | Q3-2026 | Documentation gap; operational adjustment in place. |
| SR-047 | Ban action does not pass through documented admin parameter |
Admin/back-office | Open | Q3-2026 | Audit log captures the action; parameter wiring being completed. |
| SR-048 | No multi-ban endpoint | Admin/back-office | Open | Q4-2026 | Ban-one-at-a-time UX. No customer impact. |
| SR-049 | Ban endpoint not idempotent on repeat | Admin/back-office | Open | Q4-2026 | Repeated bans re-broadcast; no functional break. |
| SR-050 | Admin sign-in middleware silent fall-through on bad token | Admin authentication | Open | Q3-2026 | Bad tokens cause a silent redirect; observability work to instrument. |
| SR-051 | Admin gate uses Origin header | Admin authentication | In Progress | Q3-2026 | Hardening: strengthening to a server-side session check. |
| SR-052 | Real-time disconnect does not eagerly remove from online set | Real-time | Accepted | — | Online window extends to the TTL boundary; product-acceptable. |
Known accepted behavior¶
These items appear in the register as Accepted because they are intentional product decisions, not unaddressed defects. Each has a documented rationale and a compensating control where appropriate.
| ID | Behavior | Rationale |
|---|---|---|
| SR-021 | Local-dev CAPTCHA bypass | Developer ergonomics; environment flag cannot be set in production. |
| SR-026 | Trace context not propagated through Redis pub/sub | Internal observability only; no customer impact. |
| SR-041 | Leaderboard 60s staleness | Performance trade-off documented in product spec. |
| SR-044 | No admin bet-rollback endpoint | Corrections via balance-adjustment by design. |
| SR-052 | Online-presence TTL window | Product-accepted display behavior. |
Reporting a security issue¶
Please report suspected vulnerabilities to {{TBD: security@ebit.example}} with the subject line "Security report — docs/security/security-incident-policy.md.
Cross-references¶
- Incident-response process (customer-shareable):
docs/security/security-incident-policy.md - Internal full-detail register: available on request under NDA
- Compliance / NFR commitments:
docs/business/nfr-sla.md