Enterprise Risk Register
Organization: ZKProva
System: ZKP-Powered Portable Credit Union Identity
SOC 2 Criteria: CC3.1 (Risk Identification)
Document Version: 1.0
Effective Date: 2026-02-28
Classification: Confidential
Review Cadence: Quarterly (next review: 2026-05-31)
Table of Contents
- Risk Scoring Methodology
- Risk Register
- Risk Heat Map
- Review History
- Document Control
Risk Scoring Methodology
Likelihood Scale
| Score |
Level |
Definition |
| 1 |
Rare |
Occurs less than once per year; requires sophisticated, targeted attack or multiple simultaneous failures |
| 2 |
Unlikely |
Could occur once per year; requires deliberate effort but known attack vectors exist |
| 3 |
Possible |
Could occur multiple times per year; attack surface is exposed or failure mode has precedent |
| 4 |
Likely |
Expected to occur quarterly; common attack pattern or known weakness |
| 5 |
Almost Certain |
Expected to occur monthly or more frequently; actively exploited or systemic weakness |
Impact Scale
| Score |
Level |
Definition |
| 1 |
Negligible |
No data exposure, no service impact, cosmetic only |
| 2 |
Minor |
Brief service degradation (<15 min), no data exposure, limited user impact |
| 3 |
Moderate |
Service outage (15 min–4 hours), potential exposure of non-sensitive data, partner notification required |
| 4 |
Major |
Extended outage (>4 hours), exposure of member PII or credential data, regulatory notification required |
| 5 |
Severe |
Cryptographic compromise, mass credential forgery, complete loss of trust in system integrity |
Risk Score
Risk Score = Likelihood x Impact
| Score Range |
Risk Level |
Action Required |
| 1–4 |
Low |
Accept risk; monitor during quarterly review |
| 5–9 |
Medium |
Mitigate within current quarter; document compensating controls |
| 10–15 |
High |
Mitigate within 30 days; escalate to leadership |
| 16–25 |
Critical |
Immediate action required; block production deployment until resolved |
Risk Register
R-001: JWT Authentication Bypass
| Field |
Value |
| ID |
R-001 |
| Description |
Attacker forges or manipulates JWT tokens to gain unauthorized access as any user role (member, lender, admin). Attack vectors include weak signing key, algorithm confusion (none/HS256 swap), or token replay. |
| Likelihood |
2 (Unlikely) |
| Impact |
5 (Severe) |
| Risk Score |
10 (High) |
| Current Mitigations |
HS256 signing with minimum 32-character key enforced at startup. Known development keys rejected in production. PyJWT library (not python-jose) with explicit algorithm whitelist. Null-signature bypass patched (#60). JWT expiration enforced (access: 30 min, refresh: 7 days). |
| Residual Risk |
Medium — Key stored in Secrets Manager (no HSM). Algorithm confusion mitigated but not tested via external pentest. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-002: ZKP Proof Forgery
| Field |
Value |
| ID |
R-002 |
| Description |
Attacker crafts a valid-looking Groth16 proof that passes verification with false claims (e.g., fabricated credit score, false membership). Could undermine the fundamental trust model of the system. |
| Likelihood |
1 (Rare) |
| Impact |
5 (Severe) |
| Risk Score |
5 (Medium) |
| Current Mitigations |
Groth16 provides computational soundness — forgery requires breaking the discrete log assumption on BN254. Verification key is derived from trusted setup and hardcoded. snarkjs library is widely audited. Proof verification is mathematical, not application-logic dependent. |
| Residual Risk |
Low — Groth16 is cryptographically sound. Risk increases if trusted setup ceremony is compromised or if a vulnerability is discovered in snarkjs/BN254. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-003: Credential Database Breach
| Field |
Value |
| ID |
R-003 |
| Description |
Attacker gains unauthorized access to PostgreSQL and exfiltrates the credentials table (AES-256-GCM encrypted credential data) and/or the members table (email addresses, bcrypt-hashed passwords). |
| Likelihood |
2 (Unlikely) |
| Impact |
5 (Severe) |
| Risk Score |
10 (High) |
| Current Mitigations |
RDS instance is in private subnet (no public access). Security group restricts port 5432 to VPC CIDR only. Storage encrypted at rest (gp3). Credential data double-encrypted with AES-256-GCM at application layer. Passwords bcrypt-hashed. Pydantic input validation on all endpoints. SQLi WAF rules (AWSManagedRulesSQLiRuleSet). LIKE injection patched (#63). |
| Residual Risk |
Medium — AES key is in Secrets Manager (not HSM). If both DB and Secrets Manager are compromised, credential data is exposed. No database activity monitoring (DAM) beyond audit logs. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-004: Server-Side Request Forgery (SSRF)
| Field |
Value |
| ID |
R-004 |
| Description |
Attacker exploits webhook URL registration to make the server send requests to internal resources (AWS metadata service, internal APIs, private network endpoints). |
| Likelihood |
2 (Unlikely) |
| Impact |
4 (Major) |
| Risk Score |
8 (Medium) |
| Current Mitigations |
SSRF protection implemented (#63): webhook URLs validated against allowlist of permitted schemes (https only) and blocked internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254). WAF AWSManagedRulesKnownBadInputsRuleSet blocks known SSRF patterns. |
| Residual Risk |
Low — DNS rebinding attacks could theoretically bypass IP validation. Consider adding DNS resolution validation before request dispatch. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-005: Privilege Escalation
| Field |
Value |
| ID |
R-005 |
| Description |
A member or lender account escalates privileges to admin role, gaining access to system configuration, audit logs, and lender management functions. |
| Likelihood |
2 (Unlikely) |
| Impact |
4 (Major) |
| Risk Score |
8 (Medium) |
| Current Mitigations |
RBAC enforced via middleware on every request. Role is embedded in JWT and validated server-side. Role changes require admin API access. Admin endpoints require admin role check. Verifier type-based claim filtering restricts lender data access independently of role. |
| Residual Risk |
Low — Role is set at registration and stored in DB. JWT role claim is validated against DB on sensitive operations. Mass assignment / parameter tampering blocked by Pydantic strict models. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-006: Distributed Denial of Service (DDoS)
| Field |
Value |
| ID |
R-006 |
| Description |
Volumetric or application-layer DDoS attack overwhelms the API, making credential verification and proof generation unavailable for all users. |
| Likelihood |
3 (Possible) |
| Impact |
3 (Moderate) |
| Risk Score |
9 (Medium) |
| Current Mitigations |
AWS WAF rate limiting: 2000 requests per 5-minute window per IP (regional). CloudFront WAF with rate limiting rule (CloudFront distribution). HPA auto-scales backend pods from 3 to 20 based on CPU (60% target). EKS cluster auto-scales nodes from 1 to 4. Application-level tiered rate limiting via Redis (10/60/300 RPM by plan). Geo-blocking configurable via WAF. block_all_traffic emergency toggle. |
| Residual Risk |
Medium — Current WAF rate limits are per-IP; distributed attacks from many IPs require AWS Shield Advanced (not currently enabled). Node auto-scaling max of 4 may be insufficient for sustained attacks. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-007: Supply Chain Attack
| Field |
Value |
| ID |
R-007 |
| Description |
A compromised dependency (Python pip package or npm package) introduces malicious code into the application, potentially exfiltrating secrets or member data. |
| Likelihood |
2 (Unlikely) |
| Impact |
5 (Severe) |
| Risk Score |
10 (High) |
| Current Mitigations |
Dependabot monitors Python and JavaScript dependencies weekly (#64). Trivy scans container images in CI and fails on critical/high CVEs (#65). Gitleaks scans for leaked secrets (#66). Lockfiles (requirements.txt, package-lock.json) pin dependency versions. Minimal Docker base images reduce attack surface. Non-root container execution (#61). |
| Residual Risk |
Medium — No SAST tool beyond linting (Gap #8). Dependencies are not vendored. No software bill of materials (SBOM) generated. Trivy scans known CVEs but not zero-day supply chain compromises. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-008: Cryptographic Key Compromise (No HSM)
| Field |
Value |
| ID |
R-008 |
| Description |
The Ed25519 issuer signing key, AES-256-GCM encryption key, or JWT signing key is exfiltrated from AWS Secrets Manager, enabling credential forgery, data decryption, or authentication bypass. |
| Likelihood |
2 (Unlikely) |
| Impact |
5 (Severe) |
| Risk Score |
10 (High) |
| Current Mitigations |
Keys stored in AWS Secrets Manager with IAM access controls. IRSA (IAM Roles for Service Accounts) limits which pods can access secrets. Secrets cached via @lru_cache — never written to disk or logs. Key rotation procedures documented (see Key Rotation Procedures). Emergency rotation procedure defined for P0 incidents. |
| Residual Risk |
High — No HSM protection (Gap #6, target Q3 2026). Keys are software-managed. A compromised IAM role or Secrets Manager breach exposes all keys. The @lru_cache pattern means keys are in process memory (extractable via memory dump). |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-009: NCUA API Outage
| Field |
Value |
| ID |
R-009 |
| Description |
The NCUA (National Credit Union Administration) API becomes unavailable, preventing validation of credit union charter numbers during new issuer onboarding. |
| Likelihood |
3 (Possible) |
| Impact |
2 (Minor) |
| Risk Score |
6 (Medium) |
| Current Mitigations |
Fail-closed design (#60): new issuer registration is blocked when NCUA API is unavailable, preventing unvalidated charters. Existing issuers are unaffected — charter validation is only required at registration. Grace period for transient failures. skip_ncua_validation flag available for testing environments only (gated by TESTING=1 env var, #63). |
| Residual Risk |
Low — Impact is limited to new issuer onboarding. Core credential issuance and verification are unaffected. Consider caching NCUA responses to reduce API dependency. |
| Owner |
Engineering Lead |
| Next Review |
2026-05-31 |
R-010: Insider Threat
| Field |
Value |
| ID |
R-010 |
| Description |
A team member with production access (EKS kubectl, AWS Console, Secrets Manager) maliciously exfiltrates data, modifies credentials, or disrupts service. |
| Likelihood |
1 (Rare) |
| Impact |
5 (Severe) |
| Risk Score |
5 (Medium) |
| Current Mitigations |
GitHub branch protection requires PR review for all code changes. CI/CD manual approval gate for production deploys. GitHub Actions OIDC for deployments (no static AWS credentials). Audit logs capture all sensitive operations with actor attribution (user ID, IP, timestamp). Structured logs dual-written to both DB and CloudWatch. Email addresses redacted in logs (#61). EKS endpoint access restricted to allowed CIDRs. |
| Residual Risk |
Medium — Small team means fewer controls on production access. No formal background checks. No privileged access management (PAM) tool. No session recording for kubectl/AWS Console access. Consider implementing break-glass access patterns as team grows. |
| Owner |
CEO / CTO |
| Next Review |
2026-05-31 |
Risk Heat Map
Impact
5 │ R-009 R-002 R-001,R-003
│ R-007,R-008
4 │ R-004
│ R-005 R-010
3 │ R-006
│
2 │
│
1 │
└──────────────────────────────────
1 2 3 4 5
Likelihood
Legend:
R-001: JWT Authentication Bypass (10)
R-002: ZKP Proof Forgery (5)
R-003: Credential Database Breach (10)
R-004: SSRF (8)
R-005: Privilege Escalation (8)
R-006: DDoS (9)
R-007: Supply Chain Attack (10)
R-008: Key Compromise / No HSM (10)
R-009: NCUA API Outage (6)
R-010: Insider Threat (5)
Risk Summary
| Risk Level |
Count |
IDs |
| Critical (16–25) |
0 |
— |
| High (10–15) |
4 |
R-001, R-003, R-007, R-008 |
| Medium (5–9) |
5 |
R-002, R-004, R-005, R-006, R-009 |
| Low (1–4) |
0 |
— |
| Accepted |
1 |
R-010 (monitored quarterly) |
Top Priority Actions
- HSM integration (R-008) — Target Q3 2026. Reduces residual risk for all key-dependent risks (R-001, R-003, R-008).
- External penetration test (R-001, R-003, R-004, R-005) — Scope document ready (#67), firm selection in progress. Validates mitigations with independent assessment.
- SAST/DAST integration (R-007) — Target Q3 2026. Adds static and dynamic analysis beyond linting and dependency scanning.
- AWS Shield Advanced evaluation (R-006) — Evaluate cost/benefit for DDoS protection beyond WAF rate limiting.
Review History
| Date |
Reviewer |
Changes |
| 2026-02-28 |
ZKProva Engineering |
Initial risk register created with 10 risks derived from pentest scope (#67), SOC 2 readiness assessment, and security audit findings (#60–#66). |
Document Control
| Version |
Date |
Author |
Description |
| 1.0 |
2026-02-28 |
ZKProva Engineering |
Initial enterprise risk register |
This document satisfies SOC 2 Trust Service Criteria CC3.1 (Risk Identification). It is reviewed quarterly and updated after security incidents, penetration tests, or significant architecture changes.