From d2971875117d90738d56588b30f1817614492ecb Mon Sep 17 00:00:00 2001
From: "Rafael Gonzaga rafael.nunu@hotmail.com" <rafael.nunu@hotmail.com>
Date: Wed, 19 Mar 2025 12:44:51 -0300
Subject: [PATCH] doc: add impairing ability to the project day 2 day

---
 MAINTAINERS_THREAT_MODEL.md | 56 +++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md
index 1c7f95a35..82fe52132 100644
--- a/MAINTAINERS_THREAT_MODEL.md
+++ b/MAINTAINERS_THREAT_MODEL.md
@@ -198,3 +198,59 @@ Notes:
 | **Email** (io.js aliases)    | - | N\A |
 | **Slack**                    | - | N\A |
 | **Calendar**                 | - | N\A |
+
+### Impairing the ability of the project to do day-to-day work
+
+* Deleting or transferring repos
+* Destroying or misconfiguring infrastructure resources (e.g., build machines, cloud resources, etc.).
+* Destroying publication keys (Apple, Windows..)
+* Deleting calendar and calendar recurring events
+* Hijacking official communication channels (Slack, email, social media)
+
+**Vectors:**
+
+* Compromised credentials or accounts
+* Malicious insider threats
+* Unauthorized access to CI/CD pipelines
+* Unsecured backup systems
+* Weak MFA enforcement or bypass
+* Excessive permissions assigned to users
+
+**Related CWEs:**
+
+* CWE-284: Improper Access Control
+* CWE-285: Improper Authorization
+* CWE-287: Improper Authentication
+* CWE-522: Insufficiently Protected Credentials
+* CWE-732: Incorrect Permission Assignment for Critical Resource
+* CWE-778: Insufficient Logging
+
+| Resource | Minimum Access    | Description |
+|-         |-                  |-            |
+| **HackerOne**                | a | Exclude the Node.js project from H1 |
+| **MITRE**                    | - | N/A |
+| **private/node-private**     | a | Excluding the repository |
+| **private/security-release** | w | Excluding the list of current security release |
+| **private/secrets**          | r | Read access to secrets grants access to key resources |
+| **nodejs/node**              | w | - |
+| **nodejs/deps**              | w | Deleting repos can affect packages that relies on it |
+| **nodejs/build** (GH)        | w | Write access would allow key scripts, infra to be modified |
+| **nodejs/docker-node**       | w | - |
+| **nodejs/node-core-utils**   | w | - |
+| **nodejs/nodejs.org**        | w | - |
+| **nodejs/release-cloudflare-worker** | w | - |
+| **npm account**              | w | - |
+| **Jenkins CI - test**        | w | - |
+| **Jenkins CI - release**     | w | - |
+| **Infra - test**             | w | - |
+| **Infra - release**          | w | - |
+| **Build infra**              | w | - |
+| **Website Infra**            | w | - |
+| **Youtube**                  | a | Deleting previous record meetings |
+| **Zoom**                     | a | - |
+| **1Password**                | r | - |
+| **Social media accounts**    | w | - |
+| **Email** (nodejs-sec)       | a | - |
+| **Email** (io.js aliases)    | w | - |
+| **nodejs/calendar**          | w | - |
+| **Slack**                    | a | - |