FINERACT-2636: create threat model#5975
Merged
Merged
Conversation
07a76b2 to
5318c8a
Compare
Aman-Mittal
reviewed
Jun 14, 2026
d13f288 to
17cd583
Compare
asciidoctor was guessing Java
for consistency
Produced by Kimi.ai from a template and with instructions to incorporate FAIR and ArchiMate. https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk https://en.wikipedia.org/wiki/ArchiMate
While somewhat tangential to the threat model, it's important we continue to make these kinds of changes so operators are well aware we officially support only one RDBMS (per FSIP-9).
self-service was removed See: FINERACT-2283, PR apache#4671, FINERACT-2480, PR apache#5498
It was just taking up space. If we want one we should generate it once we're done drafting/editing.
Suggested by Aman Mittal.
Maybe simplified. I still don't really get it. model: Sonnet 4.6 I told Claude > Help! I'm stuck. On this branch I've created `SECURITY.md` with a lot > of help from AIs. This file is our threat model, which we believe will > help us (the Apache Fineract project / PMC) get more > effective/accurate AI security scans. Right now it's too complicated > and jargon-y. I want to reduce it to something that is (a) useful, > containing (b) only those claims I can understand and support. I'm not > a security expert so it might need to be culled down a lot. Apache > would prefer that the basic structure (sections §1 through §15) remain > the same, but it's more important to me that I can, again, understand > and support the entire thing, even if this means simplifying the model > beyond that basic structure." It replied > This is a substantial document. Let me analyze it before > proposing edits — the main sources of complexity are: (1) the provenance > tracking system (documented)/(inferred), (2) jargon like "OpenFAIR TEF," > "ArchiMate," "Byzantine/honest-fraction threshold," and (3) ~42 > "inferred" claims that are AI guesses, not verified facts. > > My plan: strip the provenance legend and confidence counts, remove all > unsupported "inferred" speculative claims, remove jargon terms, > simplify §14 (open questions without speculative "proposed answers"), > and remove §15. I'll keep §1–§15 structure. Want me to proceed with > this rewrite?" I said Yes and crossed my fingers. It asked > How should I handle the ~42 "inferred" claims that are AI guesses not > verified by anyone? I selected: Keep obvious inferred claims It asked > What should happen to §14 (Open Questions for Maintainers)? I selected: Remove §14 entirely It said Got it. I'll: > Keep obvious inferred claims (JVM memory safety, etc.), cut the > speculative ones (honest-fraction thresholds, FPU state, etc.) > Remove §14 entirely > Strip the provenance legend, draft confidence count, and jargon > (OpenFAIR TEF, ArchiMate, Byzantine) > Keep §1–§13, §15 > Writing the simplified version now. > > Updated SECURITY.md +149 -279 > > Done. Here's a summary of what changed: > > Removed entirely: > > Provenance legend (documented)/(maintainer)/(inferred) and the draft > confidence count (18/0/42) > §14 Open Questions for Maintainers > OpenFAIR TEF column from the adversary table > "ArchiMate Data Flow View" label from §4 > "Byzantine / honest-fraction threshold" language from §7 > Speculative inferred claims (FPU state, sun.misc.Unsafe, "does not > spawn child processes" table, etc.) > Several speculative §9 disclaimed properties (constant-time > comparison, compression bombs, ReDoS, billion-laughs/XXE) > "Version binding" and "Reporting cross-reference" from the §1 header > The Maintainer stance column from the §5a table > > Kept but simplified: > > The per-parameter input table (§6) — kept only CVE-documented rows, > dropped business-rule validation rows > §8 data integrity table — kept double-entry accounting, dropped the > more speculative batch idempotency and business-date rows > §9 false-friend properties — kept the four that are well-documented > §15 — reduced to two sentences > > The document went from ~500 lines to ~290. Every remaining claim is > either publicly documented (CVEs, README, official docs) or plainly > obvious (JVM manages memory, TLS encrypts traffic).
Further reduce model to only those claims I feel like I understand and can support today.
17cd583 to
b296ee7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
FINERACT-2636
Checklist
Please make sure these boxes are checked before submitting your pull request - thanks!
Your assigned reviewer(s) will follow our guidelines for code reviews.