Month: August 2023

Neon CRM Vulnerability Allows Modification of Member Numbers

TL;DR: Earlier this summer the SCA configured their Neon CRM membership portal to show registered users their member number. I discovered a vulnerability in Neon One’s software that allowed technically-savvy users to use that capability to change their member number to any value they desired.

After this was reported, the link to the vulnerable screen was removed, but the screen still exists and the vulnerability in the underlying Neon CRM software appears to remain unpatched.

In February the SCA completed the migration of its membership data from an aging legacy system (“Members Only”) to a new platform hosted by Neon One. Their Neon CRM service now appears to function as the system of record for the Society’s member records, including modern names, addresses, and payment information, as well as SCA-specific data such as Society name, kingdom, and member number.

Continue reading “Neon CRM Vulnerability Allows Modification of Member Numbers”

When Was the Society President Hired?

The senior-most officer in the Society for Creative Anachronism is the President, to whom nearly all other officers report. (The only exceptions are the Society’s Executive Assistant, and for some reason, the Manager of Information Technology.) As described the last time the position was opened for new candidates, the President is the Society’s executive representative to the outside world, and coordinates much of the Society’s internal operations.

The position of President was held by Isabeau della Farfalla from around April 2013 until around April 2016, when she was replaced by John the Bearkiller. Although there isn’t much documentation on how these appointments work, my understanding is that this was expected to be a three-year term (as it had been in the past), accompanied by a small stipend.

It appears that at some point in 2019 this arrangement was revised, and the position was reclassified as a salaried employee with no scheduled expiration date. I haven’t been able to find any discussion of this change in the Board Minutes or other public records of the Society’s governance.

This topic was brought up during the Board’s “Meet and Greet” session at Pennsic, and director Bricca di Ghelere indicated that she would provide an update on matters of internal staffing during the next quarterly Board meeting.