Publish Your Threat Models! The benefits far outweigh the dangers

Threat modeling has long guided software development work, and we consider how Public Threat Models (PTM) can convey useful security information to others. We list some early adopter precedents, explain the many benefits, address potential objections, and cite regulatory drivers. Internal threat models may not be directly suitable for disclosure so we provide guidance for redaction and review, as well as when to update models (published or not). In a concluding call to action, we encourage the technology community to openly share their PTMs so the security properties of each component are known up and down the supply chain. Technology providers proud of their security efforts can show their work for competitive advantage, and customers can ask for and evaluate PTMs rather than be told "it's secure" but little more. Many great products already have fine threat models, and turning those into PTMs is a relatively minor task, so we argue this should (and easily could) become the new norm.