Near One currently has no threat model, and we have been responding to vulnerabilities mostly on a reactive basis. We did commend a technical audit, but it does not give us much information for where to dig in next to secure Near One.
Why should NEAR One work on this
Threat modeling is the first step towards security. Without a proper threat model, figuring out which vulnerabilities to fix first, or where to look for vulnerabilities, is only a guessing game.
What needs to be accomplished
We should establish a threat model for nearcore.
This means in particular:
Listing the assets we have that can host vulnerabilities
Listing the known vulnerabilities, as well as all the places which seem scariest from an "unknowns" perspective
Evaluating the risks for each such vulnerabilities, be them known or unknown
Accordingly, prioritize the work for improving our security stance, be it by fixing vulnerabilities or exploring unknowns
Main use case
With a threat model, we could stop randomly guessing where our vulnerabilities are, or being reactive only in all we do.
However, it should be noted that a threat model is not an one-off thing. While this project aims to establish the first threat model for Near One, we will have to constantly update the threat model.
Links to external documentations and discussions
None
Estimated effort
The estimated time is 2-3 months-person. @Ekleog-NEAR has started working on it, by chatting with everyone in Near One about the vulnerabilities they know or can think of.
Assumptions
None
Pre-requisites
None
Out of scope
None
Task list
### Tasks
- [ ] chat with everyone from Near One about the potential vulnerabilities they can think of, known or unknown
- [ ] list all the assets we currently have, and the impact them being attacked would have
- [ ] evaluate the risks and dangers for each vulnerability, known or unknown
- [ ] prioritize the work accordingly
Goals
Background
Near One currently has no threat model, and we have been responding to vulnerabilities mostly on a reactive basis. We did commend a technical audit, but it does not give us much information for where to dig in next to secure Near One.
Why should NEAR One work on this
Threat modeling is the first step towards security. Without a proper threat model, figuring out which vulnerabilities to fix first, or where to look for vulnerabilities, is only a guessing game.
What needs to be accomplished
We should establish a threat model for nearcore.
This means in particular:
Main use case
With a threat model, we could stop randomly guessing where our vulnerabilities are, or being reactive only in all we do.
However, it should be noted that a threat model is not an one-off thing. While this project aims to establish the first threat model for Near One, we will have to constantly update the threat model.
Links to external documentations and discussions
None
Estimated effort
The estimated time is 2-3 months-person. @Ekleog-NEAR has started working on it, by chatting with everyone in Near One about the vulnerabilities they know or can think of.
Assumptions
None
Pre-requisites
None
Out of scope
None
Task list