Perform & Engage 365 - Access Control and Permission Integrity Improvements

Update timeline

1. resolved Dec 12, 2025, 01:02 PM UTC

   A customer recently reported two security-related issues affecting access controls and administrative permissions. Upon receiving the report, our team immediately investigated, validated the findings, and deployed fixes for both items. While there is no evidence of misuse, we have taken additional steps to strengthen our security posture, including initiating a new, independent penetration test to ensure comprehensive coverage. Details of Resolved Issues 1. Access control for storage links Certain file links were accessible without the expected security measures. This has now been addressed at the resource level, and an update is being deployed to ensure proper access requirements are enforced. 2. Permissions on admin functionality There was a scenario where users could elevate their permissions if they navigated to a specific page. This has been corrected to prevent unauthorised changes. If you have further questions or would like more details about the issue, please contact Zensai Support Team.

2. postmortem Jan 23, 2026, 01:15 PM UTC

   This report outlines two security-related issues that were identified, their root causes, and the actions taken to fully resolve them. We are sharing this transparently to maintain trust and ensure clarity on the steps taken to strengthen platform security. ## Issue 1: Unauthorized Access via Legacy APIs ### Summary Certain legacy API endpoints allowed unauthorized actions, including privilege escalation and access to restricted data. ### Root Cause Some older API endpoints were not aligned with current authentication and authorization standards. These endpoints were not included in recent security audits, automated scans, or penetration testing due to assumptions about their risk level and limited test scope coverage. This resulted in incomplete security validation across the full API surface. ### Actions Taken * Immediate remediation of all exposed endpoints * Full security scan of **1,700\+ API endpoints** using automated scripts and AI-based validation * Introduction of centralized endpoint security validation processes * Expansion of dynamic security scanning to include role-based scenarios * Scheduling of a new penetration test with expanded scope and guidance * Integration of security validation into development and QA workflows ## Issue 2: BLOB Storage URL Exposure ### Summary Storage URLs were publicly accessible and did not include expiration \(TTL\), creating potential unauthorized access risk. ### Root Cause During infrastructure migration from AWS to Azure, storage URL handling was reimplemented. The new implementation did not enforce TTL or access restrictions, and security validation for storage access was not formally reviewed as part of the migration process. ### Actions Taken * Immediate implementation of **TTL \(time-to-live\)** on all storage URLs * Full obfuscation of backend storage URLs * Enforcement of authenticated access for file retrieval * Updates to QA and development review processes * Formalization of security validation for infrastructure and storage changes ## Lessons Learned * Legacy systems must be continuously audited and cannot be excluded from security reviews * Security testing must cover the **entire platform surface**, not only core or new components * Infrastructure and architectural changes must trigger mandatory security validation * Penetration testing must be supported by internal processes, automation, and continuous scanning ## Commitment We have strengthened our internal security processes, expanded automated and manual validation coverage, and embedded security checks directly into development and QA workflows. These changes ensure higher resilience, stronger prevention, and earlier detection of potential risks going forward. Security and trust remain core priorities, and we are committed to continuous improvement and transparency.