Skip to content

Commit c5ea56b

Browse files
UlisesGasconUlisesGascon
committed
docs: mention threat models
1 parent dc4df46 commit c5ea56b

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

_articles/security-best-practices-for-your-project.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,20 @@ To avoid this, publish a security policy. A security policy, defined in a `SECUR
8383
### Private Vulnerability Reporting
8484

8585
On some platforms, you can streamline and strengthen your vulnerability management process, from intake to broadcast, with private issues. On GitLab, this can be done with private issues. On GitHub, this is called private vulnerability reporting (PVR). PVR enables maintainers to receive and address vulnerability reports, all within the GitHub platform. GitHub will automatically create a private fork to write the fixes, and a draft security advisory. All of this remains confidential until you decide to disclose the issues and release the fixes. To close the loop, security advisories will be published, and will inform and protect all your users through their SCA tool.
86+
87+
### Define your threat model to help users and researchers understand scope
88+
89+
Before security researchers can report issues effectively, they need to understand what risks are in scope. A lightweight threat model can help define your project’s boundaries, expected behavior, and assumptions.
90+
91+
A threat model doesn’t need to be complex. Even a simple document outlining what your project does, what it trusts, and how it could be misused goes a long way. It also helps you, as a maintainer, think through potential pitfalls and inherited risks from upstream dependencies.
92+
93+
A great example is the [Node.js threat model](https://github.com/nodejs/node/security/policy#the-nodejs-threat-model), which clearly defines what is and isn’t considered a vulnerability in the project’s context.
94+
95+
If you’re new to this, the [OWASP Threat Modeling Process](https://owasp.org/www-community/Threat_Modeling_Process) offers a helpful introduction to build your own.
96+
97+
Publishing a basic threat model alongside your security policy improves clarity for everyone.
98+
99+
86100
## Treat security as a team effort
87101

88102
### Security isn't a solo responsibility. It works best when shared across your project's community.

0 commit comments

Comments
 (0)