Webhook Dispatcher — Service Risk Register
Status: populated Owner: Platform Engineering Last updated: 2026-04-18
Risk Matrix
| ID | Risk | Likelihood | Impact | Severity | Mitigation | Owner |
|---|---|---|---|---|---|---|
| RISK-HOOK-01 | Customer endpoint mass outage → dead-letter flood | Medium | High | HIGH | Dead-letter rate alert; platform replay tooling (roadmap) | Platform Eng |
| RISK-HOOK-02 | Webhook secret leaked via API response | Low | Critical | CRITICAL | Secret never returned; masked in DB response; test coverage | Security |
| RISK-HOOK-03 | SSRF via customer-supplied webhook URL | Low | Critical | CRITICAL | NetworkPolicy blocks private ranges; URL validation | Security |
| RISK-HOOK-04 | KMS unavailability blocks all deliveries | Low | High | HIGH | In-memory secret cache (5 min TTL); KMS SLA 99.99% | Platform Eng |
| RISK-HOOK-05 | Retry poller falls behind under load | Medium | Medium | MEDIUM | SKIP LOCKED fan-out across pods; batch size tuning; HPA | Platform Eng |
| RISK-HOOK-06 | Webhook secret brute-force by malicious endpoint | Low | Medium | MEDIUM | Rate limiting on outbound; no value in brute-forcing (they own endpoint) | Security |
| RISK-HOOK-07 | payload_snapshot JSONB grows too large on high-volume accounts | Low | Medium | MEDIUM | TOAST compression enabled; 512-char response_body_preview cap; retention 30 days | DBA |
| RISK-HOOK-08 | Customer registers 10 webhooks with bad URLs then never fixes them | Medium | Medium | MEDIUM | Dead-letter rate per-webhook alert; platform dashboard showing error rate | Product |
| RISK-HOOK-09 | NATS webhook.dispatch schema breaking change from dlr-processor | Low | High | HIGH | Pact contract tests; tolerant reader; 30-day parallel publish protocol | Platform Eng |
Risk Review Cadence
Monthly in Platform Engineering architecture sync.