README.md, section Currently Supported Threats, needs a legend about pytm HOT 7 OPEN

Hi - the legend is not written in stone - we were looking for unique identifiers with at least a semblance of separation between them. The categorization was never too strict simply because the issue never came up, and the identifiers are mostly used for allow-listing known issues.

It is great you want to add threats! If you're not comfortable with adding them to the existing label scheme, feel free to create your own. It would be great if it followed the ??[0-9][0-9]* format, though.

from pytm.

The grouping of the threats is a little bit over the place and sometimes it just unclear to me as well what the letters are supposed to mean.

But a threat is a threat and it does not matter if it is a denial of service or an information disclosure as long as it is a valid threat to the system.
So I agree with izar that it does not matter what letters you put in front of your threats as long as these are valid threats.

That being said here is my understanding of the first letters of all the threats.
Maybe this can be used to start a guide on creating new threats.

AA deals with AuthN ( no idea what the second A is for, maybe this was once AuthN and AuthZ)
AC with access control (AuthZ) issues
API are all threats with a condition that includes .implementsAPI.
CR is possibly credentials, crypto, and something with XML routing (CR07)
DE is all over the place could be dataflow encryption(DE01, DE03) or encoding (DE02) and I don't know how DE04 fits in.
DO is "Denial Of" anything, so threats regarding availability.
DR no idea.
DS is probably data side-channel.
HA is HA01 "Path traversal", HA02 "White Box Reverse Engineering", HA03 "Web Application Fingerprinting", and HA04 "Reverse Engineering". No idea what all of them have in common.
INP is most likely dealing with missing input validation/restrictions.
LB has only LB01 "API Manipulation" no clue what LB stand for.
SC deals with XSS and and JS threats only SC05 is a bit of an outlier in this group since it is dealing with server code.

from pytm.

Hey folks,

Is the mailing list used anymore? The mailing list is advertised as https://groups.google.com/g/pytm-users.

If not, can you email me so we can have an offline conversation? My email address is noloader, gmail account.

from pytm.

Actually I don't now if the mailing list was ever used. I am on that list for over a year and cannot remember a conversation there.
But I'm also only an occasional contributor.

from pytm.

@noloader perhaps the slack is the best place for an off-github discussion.

from pytm.

There is a slack?

from pytm.

from pytm.