Open SPWwj opened 1 year ago
Tester attempts to label this as a CWE-312 issue with potentially a CVSS 3.1 score of 8.4 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Rejected on grounds of : NOT AN ISSUE
One of the developers has worked as a security consultant in two separate CREST Approved certified organizations (i.e. The Singapore Government body actually requires both the security consultant and their employer organization to have various CREST certifications before they are even vetted to be allowed to test publicly known government projects), that developer has worked with Data Protection Officers and is aware of industrial security standards and the implications of not implementing it.
However, CS2103 instructions were that save files should not be encrypted so that students doing the PE testing can test to ensure that loading functionality works as according to DG/UG.
TLDR: Therefore, this reduced security requirement is a necessity for the sake of testing.
In addition, it is not uncommon for actual industries to provide a less secure version for the application testers to test before fixing the bugs on the secured version that is released to the public sphere.
Team chose [response.NotInScope
]
Reason for disagreement: Response purely on the sentence below, before i accept your reponse...
However, CS2103 instructions were that save files should not be encrypted so that students doing the PE testing can test to ensure that loading functionality works as according to DG/UG.
Could you give the reference where you got this piece of infomation?
Description: AutoM8 stores contact data (confidential) in an unencrypted
autom8.json
file, potentially exposing sensitive user information and posing a security risk.Steps to Reproduce:
autom8.json
file in the application's storage directory.autom8.json
file and observe the contact data.Expected Result: autom8should store contact data in an encrypted format to protect sensitive user information.
Actual Result: autom8stores contact data in an unencrypted
autom8.json
file, potentially exposing sensitive user information and posing a security risk.