Category: Security
Description:
Our security team identified a Major vulnerability (CATS-VULN-00097) due to the absence of brute-force protection on local accounts in Digital.ai Release.
o Currently, Release does not implement a mechanism to block/throttle local accounts after repeated failed login attempts.
o We cannot rely on an external IdP (Keycloak/LDAP/OIDC) due to organizational/operational constraints, and network-level protections were not effective.
o As a result, we request a native protection mechanism within Release.
Why this matters:
o The vulnerability is flagged Major by our internal security team and is blocking closure.
o Other mitigations (IdP, WAF, network layer) are not viable in our context.
o Security compliance requires a product-level solution.
Proposed approach (flexible & configurable):
o Throttling / backoff: Progressive delay after N failed attempts per username or IP.
o Temporary lockout: Configurable lockout period with admin override/unlock.
o Exception handling for technical/service accounts to avoid automation outages.
o Audit logging + metrics for monitoring/alerting.
o Admin-configurable thresholds and reset behavior.
o Feature disabled by default to maintain backward compatibility.
by: Hélène D. | 25 days ago | Administration
Comments
Thank you for your idea. We recognize the importance of strengthening protection for internal user accounts. We plan to explore options in Q4 2025 and will share the proposed direction in this thread as we make progress.