What questions would you ask to uncover the risks?

Sometimes a new feature idea lands on your desk and you think, “Looks harmless enough, but what if it isn’t?” That’s where testers shine. We’re the ones poking at the edges, asking the “what if” and “who’s thought about” questions before anyone’s knee-deep in code. You don’t need all the answers, just a healthy dose of curiosity and the nerve to ask questions that help everyone see the bigger picture.

To put that curiosity to the test, here is a scenario where you can practise asking the kinds of questions that might uncover hidden risks, impacts, or testability challenges.

Scenario:

Your team is planning a product change: they want to introduce a new feature that allows users to upload and set a profile image. You’re involved early to help explore any potential risks, impacts, or questions before development begins.

Your task:

Write three to five questions you would ask to help uncover:

• Risks to users or data
• Impacts on the system or related features
• Testability challenges

But feel free to explore other angles too, anything that helps your team understand the change more clearly.

How to take part:

1. Read the scenario above.
2. Think about what could go wrong, who might be affected, or what might be missing.
3. Write three to five questions you’d ask in a team discussion.
4. For each question, briefly explain what kind of risk it might help uncover.
5. Share your questions in this thread so others can see your ideas.

Example:

• Question: “What happens if someone uploads a very large file?”
• Why ask it? Might reveal performance or file handling risks.

Your questions might spark ideas someone else hadn’t thought of and theirs might do the same for you. Share yours below and see what patterns or surprises emerge.

@aj_wilson,

1. We have acceptable file formats, but what happens if somebody submits a format that is not acceptable?
   Risk uncovered: Security (malicious file uploads), user experience issues if uploads silently fail.

2. How do we validate and store the images?
   Risk uncovered: Data integrity, storage costs, compliance with privacy/GDPR rules.

3. What is the maximum file size, and what would happen if somebody goes beyond it?
   Risk uncovered: Performance problems, server crashes, poor user experience.

4. Will images be moderated or scanned before being shown?
   Risk uncovered: Inappropriate content, reputational damage, legal risks.

5. How does this feature integrate with the existing profile-related API or caching?
   Risk uncovered: Breaking related features, stale data, sync issues across platforms.

Hope this helps

Thanks,

Ramanan

• User Permissions
  Before uploading what permissions are needed in mobile side/web?

• File MIME types
  What file type the uploader supports? ie: Uploading zip files?

• File sizes
  What size is max size?

• Ways to upload file from? (local system, drive, cloud)
  How do we want to upload?

• Time it takes to upload file
  Performance risk- how much time it takes?

• Not only uploading, when user deletes/removes the file, does old copy remains on server storage/db?
  Revoking permissions - removing from cloud/local storages - GDPR risks

• How the uploaded files being stored and where?
  Once the user uploads the image, how do we plan to store them? Directly in DB? or Cloud storage?

• Backups
  Do we have take DBs backup? how do we plan to store images or replaced images for that matter -for how long do we plan to keep them?

• Time limit to content upload
  Would there be any time limit when picture is changed to when its allowed to change again?

• Just another one came to my mind while typing:
  How do we make sure the images itself don’t contain banned items/wording/graphics etc?

Some of the questions that I will ask for this particular scenario to uncover risks and challenges are:

1. Is the feature for existing users also, or only for new users?
2. Who can upload the image, the user, or the admin? As in some apps, I have seen admins have the right to upload images
3. What is the maximum and minimum size of the image allowed in MB
4. What is the maximum and minimum resolution of the image allowed
5. Is there any timeout session issue also, like if in this particular timeout period, if the image is not loaded, there will be an error message
6. Is there any limit on the number of times an image can be uploaded
7. Are we compressing the image before uploading to the server, or maintaining the same quality
8. What are the ways through which a user can upload an image file
9. Is there any permission issue also
10. Will uploading a profile picture be compulsory or optional
11. Will there be a default picture for users who don’t upload pictures
12. Is there any MIME type check also
13. What are the file types allowed like jpg, jpeg, png or webp/gif also
14. Do we have to verify the upload in the database also that whether the file is stored at the correct location at correct place or not
15. Is there any compliance issue or regulatory issue related to it?
16. Will there be an option to delete the uploaded image
17. Do we have to check concurrency also to verify the behaviour of the system if an image is being uploaded from multiple places at the same time?
18. What happens if the internet disconnects while the image is uploading? Will we immediately show 404 - network connection not found, or will we wait for some time to check if the internet connection is restored
19. If the profile image is compulsory for existing users, what will be the behaviour when they log in, will their access be blocked, and will they be asked to upload an image before proceeding or will they be given some grace period to upload an image?

So my questions would be:

1. Why do users need to upload a profile image? (I do this a lot, questions like this can start bigger conversations around any assumptions around the benefit of a feature. It will help clarify success criteria)
2. Where will this profile image be displayed? (This will give an indication of how many different ways the profile image is going to need to be displayed and the scope of testing. )
3. Are there any restrictions as to what images can be uploaded? (Quite a wide net but that will then open up as you mentioned the size of the image but also, are there any file types you want to prevent? Is there going to be a way to prevent inappropriate images? Permissions etc.)
4. What if users don’t want to upload a profile image? (Will the system allow no profile images? Will that impact other features if they don’t? Again trying to question any assumptions)
5. What if users want to remove their profile picture or change it? (It depends where the profile image is used. Is there historic content that will take the profile image with it? Will be stored, even if unavailable to the user? Basically think of all the CRUD activity)

Thats my 5. In some cases broad and will generate more questions, but at least this questions then take on the path to understanding not just what is changing but why.

A few questions spring to mind.

- Data Storage -where are the images being stored and who has access? What is the security with the repository? Risk of Data breaches, improper security measures may result in images being leaked or manipulated

- Can the user only upload the image? Or can admins? Who has permission to do this? If not clearly defined, unauthorised users may upload inappropriate or harmful content

- How do we handle files that have been infected with a virus? Do we scan for this? Malicious files uploaded by users may harm the system or other users

- What’s the biggest/smallest file size it can take? How do we communicate large/too small file sizes to the user? Uploading excessively large files could lead to performance issues or server overload. Alternately, allowing very small files might not meet user needs.

- How do we handle corrupt images? Risk of system crashing, rendering issues= poor user experience

- What file types does this accept? Risk of user uploading file not support= decreased user experience

- Is this mandatory or optional? Who has asked for this? Is this a compliance requirement?

- How does this work on mobile? Web? Inconsistencies in feature performance across different platforms may be a negative user experience

- Does the system accept certain filenames eg. Names with spaces, long filenames

- Will it accept images with the same file name?

- Can the user delete the image? Is this removed from storage forever? Unnecessary storage costs and potential privacy concerns if the data exceeds retention limits (eg. GDPR compliance issues).