Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/security/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ and reuse the skills verbatim.
- [**`new-members-onboarding.md`**](new-members-onboarding.md) —
onboarding for a new security-team member: tracker access, mail
list subscription, expected reading, first triage shadow.
- [**`threat-model.md`**](threat-model.md) — release-blocking
threat model for the security skill family: trust boundaries,
adversary personas, STRIDE matrix per skill, mitigation cross-
reference, residual risk, and the re-audit cadence.

## Adopter contract

Expand Down
5 changes: 4 additions & 1 deletion docs/security/how-to-fix-a-security-issue.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,4 +120,7 @@ page is the two-minute summary.
See the
[Confidentiality of the tracker repository](../../AGENTS.md#confidentiality-of-the-tracker-repository)
section of `AGENTS.md` for the three-layer rule and the
sharing-with-non-team-recipients pattern.
sharing-with-non-team-recipients pattern. The
[threat model](threat-model.md) covers the adversaries (P1–P5) the
rule defends against and the STRIDE rows for skill family D
(public remediation).
4 changes: 3 additions & 1 deletion docs/security/process.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@
The authoritative reference for the 16-step security-issue
lifecycle and the label-lifecycle state diagram. The
[role guides](roles.md) point into specific steps; the
[security skills](../../.claude/skills/) execute the steps.
[security skills](../../.claude/skills/) execute the steps; the
[threat model](threat-model.md) maps the steps and skills to trust
boundaries, adversaries, and mitigations.

## Process reference: the 16 steps

Expand Down
4 changes: 4 additions & 0 deletions docs/security/roles.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ lives in
[`AGENTS.md` — Confidentiality of the tracker repository](../../AGENTS.md#confidentiality-of-the-tracker-repository).
Read it before editing anything that might be seen outside the team.

The [threat model](threat-model.md) enumerates the trust boundaries
this rule defends and the adversaries each role should expect on
those boundaries.

## For issue triagers — Steps 1–6

You own the tracker from an inbound report on `<security-list>`
Expand Down
Loading
Loading