Potential Data Exposure in ICANN RFP System Resolved
LOS ANGELES – 12 January 2018 – The Internet Corporation for Names and Numbers (ICANN) today disclosed a potential data exposure with JAGGAER (formerly SciQuest), the software as a service (SaaS) tool used for sourcing suppliers via competitive bidding processes such as Requests for Proposal (RFPs). Two suppliers made ICANN aware of the issue on 4 December 2017. ICANN logged a severity 1 problem with JAGGAER immediately, and the vendor resolved the problem within 48 hours.
The issue occurred in a module called Sourcing Director, which is used for administering RFPs. Each RFP has a Question and Answer (Q&A) Board where RFP participants can post questions for the ICANN RFP team. Only the ICANN RFP team sees the questions while they are unanswered. ICANN posts the answer publicly, but the identity of the asker is not revealed on the website.
The exposure occurred if RFP participants downloaded the page as a file extract. The extract listed the names of the entities that asked questions. We recognize that the problem undermined the expected confidentiality of those asking questions and potentially gave RFP bidders the names of some of their competitors. As soon as ICANN learned of the problem, we reposted all questions and answers as if they came from ICANN, so the names of those asking questions no longer appeared in the file extract.
This problem was not limited to ICANN. JAGGAER has verified that it was introduced on 10 November 2017 with the JAGGAER 17.3 upgrade that contained an enhancement to the Q&A file format. Because most people view the Q&A Board without file extraction, ICANN believes the data exposure was minimal. Bidders in three RFPs may have been affected, and they have already been informed of the issue.
ICANN is making this information public as part of our commitment to openness and transparency. If you have any questions or feedback, please email firstname.lastname@example.org and put "JAGGAER Data Issue" in the subject line.
ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.