Risk Register
:::info Source
Sourced from services/content-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-CT-01 | Offline bundle tamper / device-binding bug | S1 | Content piracy; license bypass | AES-256-GCM per-device; JWS signing; chaos tests; tamper detection flow | Content + Security |
| R-CT-02 | Publish saga half-failure | S1 | Orphan CourseVersions; broken catalog | Explicit compensations; chaos per step; saga state machine + timeouts | Content + Authoring + Platform |
| R-CT-03 | License envelope forgery | S1 | Piracy + compliance exposure | HSM-signed JWS; device verifies; keys rotated; per-tenant keys | Content + Security |
| R-CT-04 | SCORM 1.2 / 2004 regression | S2 | 3rd-party LMS rejects exports | SCORM Cloud in CI; fixture corpus; per-PR conformance check | Content |
| R-CT-05 | Bundle key derivation weakness | S1 | Cross-device decryption | HKDF with device pubkey; unit test vectors; security review | Content + Security |
| R-CT-06 | KMS outage blocks publishing | S2 | Build pipeline halts | Retry + alert; emergency rotation procedure | SRE + Content |
| R-CT-07 | SCORM RCE via malicious zip | S1 | Platform compromise | Sandbox (gVisor/Kata); manifest validation; no eval; AV scan | Content + Security |
| R-CT-08 | Bundle storage cost runaway | S3 | Margin erosion | Per-tenant storage quota; old-bundle GC after revocation+expiry | Content + Finance |
| R-CT-09 | Revocation propagation slow | S2 | License bypass window | Sync priority for revocations; bounded expiresAt; push notification | Content + Sync |
| R-CT-10 | Cross-tenant bundle access | S1 | Data leak | S3 prefix ACL; signed URL scope; RLS; integration tests | Content + Security |
| R-CT-11 | kid rotation premature | S2 | Valid bundles stop verifying | Overlap window ≥ 2 days; device cache updated; rollback plan | Content + Security |
| R-CT-12 | Large course build OOM | S3 | Build failures; author frustration | Streaming; size caps per plan; vertical scale headroom | Content |
| R-CT-13 | Signed URL leak in server logs | S3 | Short-window piracy | Redaction library; audit log does not retain full URL | Platform + Content |
| R-CT-14 | Manifest schema drift from player | S2 | Player can't parse newer bundles | Manifest v1 frozen (F15); additive evolution; forward-compat test | Content + Delivery |
| R-CT-15 | GDPR erasure — bundle metadata retained | S2 | Partial erasure | Participate in saga; delete bundles for erased user; audit retention legitimate | Compliance + Content |
Governance
- Weekly: Content Eng + Security review.
- SCORM conformance run on every PR to packager.
- S1 items require named owner + verification + due date.