The vulnerability classes we hunt

Full database read/write without authentication. Any visitor could have dumped the entire patient database.

Key rotated within 4 hours. Service-role usage moved to server-only API routes. RLS policies strengthened. Sentry breadcrumbs configured to redact keys.

Chain from unauthenticated web request to EC2 instance role credentials. Role had S3 full access, RDS read, and Secrets Manager read. Complete account compromise available.

IMDSv2 enforced via SCP. Application patched. WAF rules added for SSRF patterns. IAM roles scoped down per least-privilege review.

GraphQL introspection enabled exposed full schema. Admin secret rotated quarterly with a predictable pattern. Cracked in minutes. Full database access via Hasura admin console.

Introspection disabled in production. Admin secret rotated to entropy-generated. Rate limiting added. Row-level auth rules reviewed and tightened.

Role assignment stored in unsafe_metadata (client-writable). Any authenticated user could PATCH their own user object to become admin of their organization. Cross-tenant access possible via admin-only Convex functions.

Role moved to private_metadata (server-only). Convex functions hardened with explicit role checks. Clerk webhook listeners added to detect metadata tampering attempts.

Sentry project was public (misconfiguration). Error breadcrumbs included credit card BIN fragments, partial cardholder names, and session tokens from checkout errors. PCI DSS 4.0 Requirement 6.4.3 failure.

Sentry project set to private. PII scrubbing rules applied. Payment page script inventory completed per PCI DSS 4.0. Feroot deployed for ongoing payment page monitoring.

Development Elasticsearch cluster accessible from internet with no authentication. Indices included production log samples with authentication tokens and internal API keys. Grafana on the same network still had default admin/admin credentials.

Cluster moved behind ZTNA. X-Pack authentication enabled. Grafana credentials rotated with SSO enforced. Network segmentation review completed. Ongoing monitoring deployed.

Anonymous sign-in enabled with Firestore rules allowing `read, write: if true` on most collections. Any visitor could read every patient appointment, chat log, and provider note in the database.

Rules rewritten per principle of least privilege with explicit auth + ownership checks. Anonymous auth disabled for production tenants. App Check deployed. Security review cadence established.

Company thought they were CMMC-ready. CUI was flowing through standard M365 (not GCC High). This fails DFARS 252.204-7012 FedRAMP Moderate requirement. Contract cancellation risk.

Migration to GCC High scoped and budgeted. CUI enclave designed to minimize scope. SSP updated. Path to C3PAO assessment cleared with 6-month timeline.

Webhook handler trusted `Stripe-Signature` header with weak validation. Forged webhook could update subscription status, grant lifetime access, modify billing records, and trigger refunds.

Full Stripe webhook signature verification per Stripe docs. Idempotency keys enforced. Webhook replay protection via Stripe event ID tracking. Rate limiting on webhook endpoint.