Publish Your Threat Models! The benefits far outweigh the dangers

TL;DR

The paper argues for publicly disclosing threat models (PTMs) to improve security transparency across the software and hardware supply chain. It defines PTMs and the Four Question Framework, discusses regulatory drivers like the EU CRA and Secure by Demand, and surveys real-world precedents to illustrate benefits. It then provides a practical process for preparing, redacting, and maintaining PTMs, while addressing objections and potential risks of publication. The overall message is that PTMs empower providers, customers, analysts, and end users by clarifying security properties, enabling better risk assessment, and fostering a more secure, collaborative ecosystem.

Abstract

Threat modeling has long guided software development work, and we consider how Public Threat Models (PTM) can convey useful security information to others. We list some early adopter precedents, explain the many benefits, address potential objections, and cite regulatory drivers. Internal threat models may not be directly suitable for disclosure so we provide guidance for redaction and review, as well as when to update models (published or not). In a concluding call to action, we encourage the technology community to openly share their PTMs so the security properties of each component are known up and down the supply chain. Technology providers proud of their security efforts can show their work for competitive advantage, and customers can ask for and evaluate PTMs rather than be told "it's secure" but little more. Many great products already have fine threat models, and turning those into PTMs is a relatively minor task, so we argue this should (and easily could) become the new norm.