As many of you may be aware, this week PASS launched the new SQLSaturday website. 

Shortly after launching the site we were notified of a security vulnerability which meant that sponsor’s contact details (company or individual name, twitter handle, address, and zip/postal code) were all visible. The intention of this information being available was to streamline the process for sponsors to sign up for an event without having to re-enter their details each time. However, given some of our Sponsors use their home address as contact information there were concerns at having this information publicly available on the site. This information was immediately taken down and out of an abundance of caution we also made the decision to conduct a full assessment to ensure no other issues existed. 

During testing an additional security vulnerability was discovered – it was found that parts of the SQLSaturday website were exposed to HTML injection, which in this case, could allow a hacker to execute HTML and/or Javascript from the session abstract page. With the structure of the SQLSaturday website, abstract submissions will be continuously open, increasing the risks associated with this vulnerability. Further application of fixes to this issue and re-testing caused a further delay in the anticipated turnaround time for the re-launch. 

This afternoon after rigorous testing by PASS IT and volunteers from the community we are pleased to announce the site is live again. 

Further detail on the actions and decisions surrounding this event will be made available in the coming days. 

We thank you for your continued patience and understanding throughout this time and look forward to providing an enhanced experience for event organizers, attendees, speakers and sponsors of SQLSaturdays with the new site going forward. Again we would like to thank everyone who was involved in the vision, planning, feedback and testing of the site.  

- Tim Ford
PASS Director, SQLSaturdays