Please provide feedback on any of the following:
- Choice of categories (2017 edition only)
- Should we add additional threat categories? (2017 edition only). See FAQ below.
- Review the content of each threat category.
- If you write Bitcoin software libraries or have used them, please consider submitting code examples of how to mitigate specific threats using the library of your choice.
- If you've read academic papers or whitepapers on privacy, please let us know which threat category they are relevant to as references. Here's a list of whitepapers we've partially reviewed from the Bitcoin Wiki. If there are relevant websites, please submit these as references, as well.
Non-technical reviewers can help out by copy editing (correcting mistakes and clarifying language) and by giving feedback on how comprehensible the text is. In general, most of the content should be understandable to laypeople, and for the portions that are specific to technical audiences, it should be clear when this is the case (e.g. discussing examples in programming code).
-
Why start with just 4 categories?
This project is modeled after the OWASP Top 10 project. After organizing the criteria in our 2nd edition threat model, we determined that there weren't 10 well-defined threat categories presently, which is what you'd expect for a field that is much newer than Web application security. These first 4 threat categories account for 78% of the weight assigned to the criteria in our 2nd edition threat model. Over the years, we expect that the number of threat categories covered by this project will increase. Note that our threat model is the primary project intended to cover many threats, while this project should focus on the ones that are most important for everyone to know about.
-
Where can I find the second edition threat model?
This is currently split into two documents. The “threat model” document lists the attacker, attack, and countermeasure categories . The “criteria” document lists the criteria under the various countermeasure categories . The third edition of the threat model imposes a JSON-based format for all of this data as well as generated documentation; we will back-port the second edition to this new format once the format has been finalized.
-
What kind of feedback should I provide?
Our goal is to make sure that the threat categories meet these criteria:
- They should be common and severe, more so than other categories
- The categories should be well-defined and make sense
- The categories should be relevant to both users and developers
The copy for each attack category should be include a succinct and jargon-free explanation for common users.
Ultimately, we would love to be able to offer specific technical feedback to developers on how to identify and fix these vulnerabilities. Ideally we could provide example code in a variety of languages and/or for a variety of popular Bitcoin software libraries. If you have any expertise in this area, consider contributing.
Editorial feedback on the copy is also welcome.
-
How flexible will these documents be in the future?
After the "public comment" period has passed, the threat categories and their identifiers will enter a change freeze. However, the rest of the copy may be updated as necessarily. Most likely, changes to the current edition will peter out as we start working on on the next version.
-
How long do I have to provide feedback?
Please see the calendar listed under the README.
You can provide feedback in the form of GitHub issues on this repository and comments on open pull requests.
You may also contact us on Twitter @obpp_org
The best way to ensure that your feedback is incorporated is to submit a pull request. Refer to: HOWTO-CONTRIBUTE.md.