[NEW SKILL] recovery-contact-change-notification-review

[JeremyZeng77]

Proposed Skill

Skill name: recovery-contact-change-notification-review
Category: auth
Severity: medium

What It Detects

Recovery contact changes can silently weaken account safety when notifications, cooldowns, and actor binding are not strong enough for the privilege of redirecting future recovery.

Why This Skill Is Needed

Changing recovery channels is a classic precursor to takeover. A dedicated skill would help reviewers inspect whether these changes are treated as security-critical events rather than simple profile edits.

Detection Approach

Trace recovery contact update, verification, notification, cooldown, and use in later recovery flows. Review stale sessions, partial verification, and whether old contacts are meaningfully warned before losing recovery influence.

Languages / Frameworks

• Account recovery settings
• Contact and channel management workflows

Example Vulnerable Code

An attacker or stale session changes the recovery contact, and the system either fails to notify the previous channel promptly or allows the new recovery path to become authoritative too quickly.

Example Remediation

Treat recovery contact changes as high-risk security updates, require strong current-session proof, notify existing channels immediately, and enforce cooldown before the new contact can drive critical recovery.

References

• NIST SP 800-63
• OWASP ASVS
• Account recovery governance guidance

Estimated Complexity

• Standard ($200) — Well-known vuln class, single language, straightforward detection
• Intermediate ($350) — Multiple languages/frameworks, nuanced detection logic
• Complex ($500) — Novel detection approach, comprehensive coverage, low FP rate

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal https://paypal.me/Jeremytsangchina

---

Wait for maintainer approval before starting implementation. We'll confirm scope and expected bounty tier within 48 hours.