New pages for Threat Model Library and Threat Modeling projects

.github/pull_request_template.md

@@ -1,9 +1,10 @@
 **Summary** :  
 
 <!--
-Provide a summary for the reviewers of this pull request, stating the section will help
-Please provide enough information so that others can review your pull request
-If this closes an existing issue then add "closes #xxxx", where xxxx is the issue number
+What existing issue does the pull request solve?
+Add "closes #xxxx", where xxxx is the issue number
+You must have been assigned the issue before submitting the pull request
+and provide enough information so that others can review your changes
 -->
 
 **Description for the changelog** :  
@@ -19,12 +20,16 @@ Thanks for submitting a pull request, please make sure:
 
 - [ ] content meets the [license](../blob/main/license.txt) for this project
 - [ ] you have read the [contribution guide](../blob/main/contributing.md) and agree to the [Code of Conduct](../blob/main/code_of_conduct.md)
-- [ ] any [use of AI](../blob/main/contributing.md#use-of-ai) has been declared in this pull request
+- [ ] *either* no AI-generated content has been used in this pull request
+- [ ] *or* any [use of AI](../blob/main/contributing.md#use-of-ai) in this pull request has been disclosed below:
+  - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie, etc]`
+  - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro, etc]`
+  - Prompts: `[Summarize the key prompts or instructions given to the AI tools]`
 
 **Other info** :  
 
-<!-- Add here any other information that may be of help to the reviewer
-
+<!--
+Add here any other information that may be of help to the reviewer
 Automated tests are run to check links, markdown and spelling
 The pull request must pass these tests before it can be merged
 -->

.github/workflows/ci.yaml

@@ -61,12 +61,12 @@ jobs:
         uses: actions/checkout@v6.0.1
 
       - name: Spell check EN language
-        uses: rojopolis/spellcheck-github-actions@0.55.0
+        uses: rojopolis/spellcheck-github-actions@0.56.0
         with:
           config_path: .spellcheck-en.yaml
 
       - name: Spell check ES language
-        uses: rojopolis/spellcheck-github-actions@0.55.0
+        uses: rojopolis/spellcheck-github-actions@0.56.0
         with:
           config_path: .spellcheck-es.yaml
 

.github/workflows/pr.yaml

@@ -55,7 +55,7 @@ jobs:
         uses: actions/checkout@v6.0.1
 
       - name: Spell check EN language
-        uses: rojopolis/spellcheck-github-actions@0.55.0
+        uses: rojopolis/spellcheck-github-actions@0.56.0
         with:
           config_path: .spellcheck-en.yaml
 
@@ -67,7 +67,7 @@ jobs:
         uses: actions/checkout@v6.0.1
 
       - name: Spell check ES language
-        uses: rojopolis/spellcheck-github-actions@0.55.0
+        uses: rojopolis/spellcheck-github-actions@0.56.0
         with:
           config_path: .spellcheck-es.yaml
 

.wordlist-en.txt

@@ -89,6 +89,7 @@ DotNet
 DrHEADer
 Dracon
 ECB
+ECMA
 EE
 ENISA
 ESAPI
@@ -104,6 +105,7 @@ GCM
 GCP
 GDPR
 GHSL
+GPT
 GRC
 GRPC
 Gasteratos
@@ -179,6 +181,7 @@ Matteo
 Microservices
 Misconfiguration
 MLSec
+Modelling
 ModSecurity
 Multifactor
 NIST
@@ -193,6 +196,7 @@ NoSQL
 Node.js
 NodeJS
 NuGets
+OATs
 OAuth
 OBOM
 ODF
@@ -295,12 +299,14 @@ Sydseter
 Symfony
 TCP
 TLS
+TMBOM
 TOCTOU
 TPM
 TPS
 Tasklist
 Tesauro
 Threagile
+ThreatAtlas
 Tink
 ToC
 Trivy
@@ -551,6 +557,7 @@ unforgeable
 unicode
 unkeyed
 unmanaged
+unremediated
 untrusted
 url
 userland

contributing.md

@@ -40,7 +40,7 @@ and then refer the developer to further reading for more in-depth treatment of t
 As a rule of thumb, if a section is more than two pages then it is probably too long;
 split the section up or refer to another more detailed project.
 
-#### Etiquette
+#### Contributor etiquette
 
 Github issues are used to coordinate contributions and keep track of progress towards each milestone:
 
@@ -49,6 +49,7 @@ Github issues are used to coordinate contributions and keep track of progress to
 * if the issue has already been assigned then coordinate with the existing owner
 * if there is not an existing issue that describes your content then [suggest one][issues]
 * provide your contributed content as a [pull request][request]
+* you **must** be assigned the issue before submitting a pull request
 
 ### Style Guide
 

docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md

@@ -0,0 +1,95 @@
+The [Threat Model Project][tmproject] is an over-arching project provided by OWASP
+that seeks to inform and guide on the very large domain that is [Threat Modeling][tmptm].
+
+#### What is the Threat Model project?
+
+The Threat Model project is not intended to be a primary source on the threat modeling domain;
+there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat.
+
+Instead the Threat Model project seeks to provide information on [threat modeling techniques][tmpapp]
+for applications and systems of all types, with a focus on current and emerging techniques.
+
+To do this project intends to gather techniques, methodologies, tools and examples.
+There is also the intention to foster a threat modeling community and support it through initiatives and forums.
+
+Note that much of this is what the project intends to provide in the future.
+As of January 2026 the project is going through a change process that will better provide this information and guidance.
+
+#### Why refer to this project?
+
+The [Threat Modeling][tmproject] project is an over-arching project for the other threat modeling projects and resources.
+
+It can be used as a landing page for all things threat modeling;
+the starting point for finding [resources and tools][tmpres] as well as the core concepts.
+For example there is an introduction to Shostack's [Four Question Framework][4QFW],
+that then references the primary source if the user needs to know more.
+
+#### OWASP threat modeling projects
+
+Threat modeling is a wide domain and OWASP provides many projects alongside the Threat Modeling project :
+
+**Production**:
+
+- [Cornucopia][cornucopia]
+- [pytm][pytm]
+
+**Lab**:
+
+- [Automated Threats to Web Applications][oats] (OATs)
+- [Cumulus][cumulusproject]
+- [Threat Dragon][tdtm]
+
+**Incubator**:
+
+- [Dragon GPT][dgpt]
+- [Lets Threat Model][ltm]
+- [Ontology Driven Threat Modeling Framework][odtmf]
+- [SAP Threat Modeling Builder][saptmb]
+- [Threat Model Library][tml]
+- [Threat Modeling][tmproject] project
+- [Threat Modeling Playbook][tmpb] (OTMP)
+- [Threat Modelling Guide][tmgproject]
+- [ThreatAtlas][threatatlas]
+- [Rapid Developer-driven Threat Modeling][rdtmproject]
+
+These projects have been categorized by OWASP according to their importance and maturity.
+
+#### Further reading
+
+- OWASP [Threat Modeling toolkit][toolkit]
+- OWASP [Threat Modeling Cheat Sheet][cstm]
+- OWASP [Attack Surface Analysis Cheat Sheet][asacs]
+- OWASP community pages on [Threat Modeling][tmcommunity] and [Threat Modeling Process][tmprocess]
+- Shostack's [Four Question Framework][4QFW]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue040101] or [edit on GitHub][edit040101].
+
+[4QFW]: https://github.com/adamshostack/4QuestionFrame
+[asacs]: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet
+[cornucopia]: https://owasp.org/www-project-cornucopia/
+[cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet
+[cumulusproject]: https://owasp.org/www-project-cumulus/
+[dgpt]: https://owasp.org/www-project-dragon-gpt/
+[edit040101]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md
+[issue040101]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/01-threat-modeling-project
+[ltm]: https://owasp.org/www-project-lets-threat-model/
+[oats]: https://owasp.org/www-project-automated-threats-to-web-applications/
+[odtmf]: https://owasp.org/www-project-ontology-driven-threat-modeling-framework/
+[pytm]: https://owasp.org/www-project-pytm/
+[rdtmproject]: https://owasp.org/www-project-rapid-developer-driven-threat-modeling/
+[saptmb]: https://owasp.org/www-project-sap-threat-modeling-builder/
+[tdtm]: https://owasp.org/www-project-threat-dragon/
+[threatatlas]: https://owasp.org/www-project-threatatlas/
+[toolkit]: https://www.youtube.com/watch?v=KGy_KCRUGd4
+[tmpb]: https://owasp.org/www-project-threat-modeling-playbook/
+[tmcommunity]: https://owasp.org/www-community/Threat_Modeling
+[tmgproject]: https://owasp.org/www-project-threat-modelling-guide/
+[tml]: https://owasp.org/www-project-threat-model-library/
+[tmpapp]: https://owasp.org/www-project-threat-modeling/#div-application-tm
+[tmpres]: https://owasp.org/www-project-threat-modeling/#div-resources
+[tmprocess]: https://owasp.org/www-community/Threat_Modeling_Process
+[tmproject]: https://owasp.org/www-project-threat-modeling/
+[tmptm]: https://owasp.org/www-project-threat-modeling/#div-threatmodeling

docs/en/04-design/01-threat-modeling/05-linddun-go.md

@@ -1,5 +1,4 @@
 LINNDUN GO is a card game used to help derive privacy requirements during the software development life cycle.
-The LINNDUN GO card set can be [downloaded][linddun-go-cards] as a PDF and then printed out.
 
 #### What is LINDDUN GO?
 
@@ -44,7 +43,7 @@ The advice from the LINDDUN GO 'getting started' instructions is that this team
 
 The application should have already been described by an architecture diagram or data flow diagram
 so that the players have something to refer to during the game.
-[Download][linddun-go-cards] and printout the deck of cards.
+The LINNDUN GO card set can be [downloaded][linddun-go-cards] as a PDF and the deck of cards printed out.
 
 Follow the [set of rules][linddun-go-rules] to structure the game session, record the outcome and act on it.
 The outcome of the game is to identify possible privacy threats and propose remediations;
@@ -53,11 +52,11 @@ as well as having a good time of course.
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
-then [submit an issue][issue060105] or [edit on GitHub][edit060105].
+then [submit an issue][issue040105] or [edit on GitHub][edit040105].
 
 [cornucopia]: https://owasp.org/www-project-cornucopia/
-[edit060105]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/05-linddun-go.md
-[issue060105]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/05-linddun-go
+[edit040105]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/05-linddun-go.md
+[issue040105]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/05-linddun-go
 [linddun]: https://linddun.org/
 [linddun-go]: https://linddun.org/go/
 [linddun-go-cards]: https://downloads.linddun.org/linddun-go/default/latest/go.pdf

docs/en/04-design/01-threat-modeling/06-threat-model-library.md

@@ -0,0 +1,88 @@
+The [Threat Model Library][tml] is a collection of threat models that have been donated to the public domain
+and which provide examples of best practice.
+This is an OWASP Incubator project with [several models][tmboms] available already and more to come.
+
+#### What is the Threat Model Library?
+
+The Threat Model library is just that;
+a collection of models donated to the public domain by various organizations and individuals.
+The intention is that these threat models that will stimulate discussion and
+can be used as the starting point for other similar systems.
+
+Sharing threat models into the public domain was promoted in a talk by Adam Shostack
+at the OWASP 2025 AppSec Barcelona conference: [Publish Your Threat Models!][tmpublish].
+
+The threat models are categorized as:
+
+1. Web applications
+2. Infrastructure
+3. AI-ML systems
+
+with more categories to be added.
+
+The threat models are in a standard file format, Threat Model Bill of Materials (TMBOM),
+and the format of these TM-BOM files is defined by the [Threat Model library schema][tmbom-schema].
+The TM-BOM is (as of January 2026) in the process of being defined
+by a CycloneDX working group to be part of the existing ECMA-424 standard
+published by [ECMA][ecma] international.
+
+#### How to view the models
+
+As of January 2026 [Threat Dragon][tddownload] is the only tool
+that provides an easy-to-read rendering of the TM-BOM files along with a PDF report.
+More tools are expected to handle TM-BOM file format as the ECMA standard comes into place
+and demand for the format increases.
+
+At present Threat Dragon can import the TM-BOM file to display the model and create a report, but it can not export TM-BOMs.
+There are plans to provide the TM-BOM export from Threat Dragon
+during the course of 2026 which will allow creation and updates to the TM-BOM files.
+
+#### How to create new models
+
+No matter what method or tool is used to create a threat model in TM-BOM format, the activities are roughly the same.
+As an example they can be based on Shostack's [Four Question Framework][4QFW] :
+
+1. Describe the system (What are we working on?)
+    1. Provide the **Scope** of the diagram
+    2. Create a **Diagram** that describes the system using
+        1. **Actor** nodes
+        2. **Component** nodes
+        3. **Data Store** nodes containing **Data Sets**
+        4. **Trust Zones**
+        5. **Trust Boundaries**
+        6. **Data Flows** from one node to another
+    3. List the **Assumptions** made when creating the model
+2. Identify threats and risks (What can go wrong?)
+    1. List the **Threat Personas** - malicious or otherwise
+    2. Identify the **Threats** to the system
+    3. Identify the **Risks** for the Threats
+3. Identify remediations and controls (What are we going to do about it?)
+    1. List the existing **Controls** or new ones that need to be put in place
+    2. Create the **Mitigation Plans** that contain controls for the identified risks
+4. Report what threats are unremediated (Did we do a good job?)
+    [Threat Dragon][tdtm] can highlight threats that remain unremediated and also provide reporting;
+    more tools will follow as they become TM-BOM aware
+
+The details of creating these TM-BOM files are described in a Threat Model Library [wiki page][tmlwiki].
+
+#### References
+
+* OWASP [Threat Model Library][tml]
+* [Threat models][tmboms] in TM-BOM format
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue040106] or [edit on GitHub][edit040106].
+
+[4QFW]: https://github.com/adamshostack/4QuestionFrame
+[ecma]: https://ecma-international.org/
+[edit040106]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/06-threat-model-library.md
+[issue040106]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/06-threat-model-library
+[tddownload]: https://github.com/OWASP/threat-dragon/releases
+[tdtm]: https://owasp.org/www-project-threat-dragon/
+[tmboms]: https://github.com/OWASP/www-project-threat-model-library/tree/main/threat-models/
+[tmbom-schema]: https://github.com/OWASP/www-project-threat-model-library/releases/latest
+[tml]: https://owasp.org/www-project-threat-model-library/
+[tmlwiki]: https://github.com/OWASP/www-project-threat-model-library/wiki/Creating-TM%E2%80%90BOMs
+[tmpublish]: https://www.youtube.com/watch?v=jEqa16lGz_E