Threat modeling has long guided software development work, and we consider how Public Threat Models (PTM) can convey useful security information to others. We list some early adopter precedents, explain the many benefits, address potential objections, and cite regulatory drivers. Internal threat models may not be directly suitable for disclosure so we provide guidance for redaction and review, as well as when to update models (published or not). In a concluding call to action, we encourage the technology community to openly share their PTMs so the security properties of each component are known up and down the supply chain. Technology providers proud of their security efforts can show their work for competitive advantage, and customers can ask for and evaluate PTMs rather than be told "it's secure" but little more. Many great products already have fine threat models, and turning those into PTMs is a relatively minor task, so we argue this should (and easily could) become the new norm.

翻译：威胁建模长期以来指导着软件开发工作，本文探讨了公共威胁模型（PTM）如何向他人传递有用的安全信息。我们列举了一些早期采用者的先例，阐述了诸多益处，回应了可能的反对意见，并引用了监管驱动力。内部威胁模型可能不直接适合公开披露，因此我们提供了编辑与审查指南，以及何时更新模型（无论是否已发布）。在最后的行动倡议中，我们鼓励技术社区公开分享其PTM，以便供应链上下游都能了解每个组件的安全特性。以自身安全措施为傲的技术提供商可借此展示其工作以获得竞争优势，客户则可主动要求并评估PTM，而非仅被告知“它是安全的”却缺乏详细信息。许多优秀产品已具备完善的威胁模型，将其转化为PTM是一项相对简单的任务，因此我们认为这应当（且容易）成为新的规范。