phase 1 deliverables are education-oriented:
- 101-level guide for dev
- 101-level guide for auditing
- find and document classes of vulnerabilities from prior audits of similar codebases and exploits in the wild
phase 2 deliverable is a threat model:
- think about the code both in terms of what you'd want to defend and how you'd adversarially compromise those things (without actually identifying specific bugs yet)
- document these in the form of attack trees