We are studying vulnerabilities across different releases of Thunderbird's
project. The goal of the study is to investigate the root cause of CVEs and
study those rooted in the security architecture of the project. We are
looking at both flaws in the design (if any) and degradation of design in
source code (violation of design decisions due coding mistakes).
At this step, we would like to know if we have correctly extracted the list
of security mechanisms (tactics/patterns) used in Thunderbird's project.
My Ph.D. student has created a draft for the list of security tactics used
in Thunderbird's project. I appreciate it if you could take the time and
review it and let us know your feedback. Are there any other high-level
decision made by the team which is missing?