Risk Register
:::info Source
Sourced from services/marketplace-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-MP-01 | Purchase saga split-brain (paid no license) | S1 | Revenue + trust | Idempotent steps; compensations; reconciliation job; 30-min timeout | Marketplace + Billing |
| R-MP-02 | Payment compliance gaps | S1 | PCI incident | Tokenization; SAQ-A; processor-abstract ACL | Marketplace + Billing + Security |
| R-MP-03 | SCORM 1.2 conformance regression | S2 | 3rd-party LMSs reject | SCORM Cloud in CI (content-service) | Content (upstream) |
| R-MP-04 | Refund abuse / chargeback scam | S2 | Revenue loss | 3DS; evidence collection; per-buyer refund rate monitoring | Marketplace + Billing |
| R-MP-05 | Cross-tenant listing scraping | S3 | IP theft | Rate limit on anonymous browse; legal DMCA workflow | Marketplace + Legal |
| R-MP-06 | Coupon abuse (stacking, reuse) | S3 | Margin | Redemption SELECT FOR UPDATE; per-user limits; max redemptions | Marketplace |
| R-MP-07 | KYC gap → unverified provider | S2 | Legal exposure | KYC required before live; quarterly re-verification | Compliance + Marketplace |
| R-MP-08 | Coupon reveal before active | S3 | Promo leak | Draft coupons scoped to admin; enforce activatedAt | Marketplace |
| R-MP-09 | Fake reviews | S3 | Trust erosion | Purchase-gated reviews; ML classifier; anomaly detection | Marketplace + AI |
| R-MP-10 | Provider payout sent to wrong account | S1 | Financial fraud | Bank account verification (micro-deposit); manual approval on large payouts | Billing + Marketplace |
| R-MP-11 | Listing approved with illegal content | S1 | Platform legal | Submitted listings queue; manual review for sensitive categories; AI moderation | Marketplace + Trust & Safety |
| R-MP-12 | Flash sale overwhelms saga | S2 | Orders delayed/failed | Autoscale; rate limit; queue-friendly UX | Marketplace + SRE |
| R-MP-13 | AI pricing suggestion bias | S3 | Unfair pricing | Bias eval quarterly | Marketplace + AI + Compliance |
| R-MP-14 | Multi-currency rounding errors | S3 | Penny-level drift | Money type in micro-units; rounding rules tested | Marketplace + Billing |
| R-MP-15 | GDPR erasure / order retention conflict | S2 | Regulator | Legal hold for tax records overrides; anonymize user PII | Compliance + Marketplace |
Governance
- Saga chaos tests + reconciliation job run on every release.
- Quarterly: fraud & abuse review.
- Provider onboarding: KYC audit.