Threat Model Template¶
Consumer-extension template — copy to your fork's THREAT_MODEL.md and extend with deployment-specific threats. worker-kmp's library-level threat model is at security.md.
Your deployment-specific context¶
- App name:
- User data sensitivity:
- Compliance requirements:
- Threat actor model:
Consumer-extension STRIDE rows¶
Add rows for threats SPECIFIC to your app on top of worker-kmp's library threat model:
| ID | Surface | Threat class | Status | Mitigation |
|---|---|---|---|---|
| C1 | |
Server-side threats (Web Push)¶
If you ship a Web Push server (per Phase 9), extend with rows for:
- Server-side subscription storage (encryption at rest, access controls)
- /push/subscribe rate-limiting + bot defense
- Cross-user subscription tampering
- Server compromise → push storm
Custom worker threats¶
If your workers handle sensitive data or external network:
- Input validation on WorkData parameters
- TLS pinning for outbound network from doWork()
- Worker output sanitization before persisting
Auditing your extension¶
- Review security-assumptions.md and confirm each item is true in your deployment.
- Add deployment-specific assumptions to your own ASSUMPTIONS.md.
- Re-audit quarterly or after material architecture changes.