[NEW SKILL] tenant-ownership-proof-refresh-review

[JeremyZeng77]

Proposed Skill

Skill name: tenant-ownership-proof-refresh-review
Category: auth
Severity: high

What It Detects

Long-lived tenant ownership assertions can become unsafe when proof is not refreshed after meaningful changes in domain control, leadership, or trust relationships.

Why This Skill Is Needed

Ownership proof is often treated as a one-time setup event, but real organizations change. A dedicated skill would help reviewers inspect whether sensitive actions depend on stale ownership assumptions.

Detection Approach

Trace ownership proof collection, storage, privileged action authorization, periodic review, and re-verification triggers. Review domain changes, company mergers, support overrides, and whether stale proof still authorizes high-risk control-plane actions.

Languages / Frameworks

• Tenant ownership verification systems
• Enterprise control-plane governance workflows

Example Vulnerable Code

A tenant can perform high-risk ownership-level actions using stale proof that no longer reflects the current controlling organization or trusted administrators.

Example Remediation

Refresh ownership proof after meaningful trust changes, separate low-risk continuity from high-risk ownership authority, and make stale proof insufficient for privileged governance actions.

References

• NIST SP 800-53
• OWASP ASVS
• Enterprise ownership and control verification guidance

Estimated Complexity

• Standard ($200) — Well-known vuln class, single language, straightforward detection
• Intermediate ($350) — Multiple languages/frameworks, nuanced detection logic
• Complex ($500) — Novel detection approach, comprehensive coverage, low FP rate

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal https://paypal.me/Jeremytsangchina

---

Wait for maintainer approval before starting implementation. We'll confirm scope and expected bounty tier within 48 hours.