Skip to main content

Potential Data Exposure in ICANN RFP System Resolved

LOS ANGELES – 12 January 2018 – The Internet Corporation for Names and Numbers (ICANN) today disclosed a potential data exposure with JAGGAER (formerly SciQuest), the software as a service (SaaS) tool used for sourcing suppliers via competitive bidding processes such as Requests for Proposal (RFPs). Two suppliers made ICANN aware of the issue on 4 December 2017. ICANN logged a severity 1 problem with JAGGAER immediately, and the vendor resolved the problem within 48 hours.

The issue occurred in a module called Sourcing Director, which is used for administering RFPs. Each RFP has a Question and Answer (Q&A) Board where RFP participants can post questions for the ICANN RFP team. Only the ICANN RFP team sees the questions while they are unanswered. ICANN posts the answer publicly, but the identity of the asker is not revealed on the website.

The exposure occurred if RFP participants downloaded the page as a file extract. The extract listed the names of the entities that asked questions. We recognize that the problem undermined the expected confidentiality of those asking questions and potentially gave RFP bidders the names of some of their competitors. As soon as ICANN learned of the problem, we reposted all questions and answers as if they came from ICANN, so the names of those asking questions no longer appeared in the file extract.

This problem was not limited to ICANN. JAGGAER has verified that it was introduced on 10 November 2017 with the JAGGAER 17.3 upgrade that contained an enhancement to the Q&A file format. Because most people view the Q&A Board without file extraction, ICANN believes the data exposure was minimal. Bidders in three RFPs may have been affected, and they have already been informed of the issue.

ICANN is making this information public as part of our commitment to openness and transparency. If you have any questions or feedback, please email globalsupport@icann.org and put "JAGGAER Data Issue" in the subject line.

About ICANN

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."