Glossary
Definitions for security and trust terms used across PVERSE Docs, including passkeys, recovery, threat modeling, audits, privacy, blockchain risk, and external-market safety.
How to use this glossary
- Fast reading: skim the term names first and use the first sentence as the working definition.
- Deep reading: use the “Why it matters” lines to understand the operational security impact.
- Cross-reference: terms are written to align with pages such as Account Security, Authentication & Recovery, Threat Model, Audit & Verification, Privacy, and Risk Disclosure.
Core concepts
Security Boundary
Definition: The line separating what PVERSE can directly enforce from what it cannot fully control, such as user devices, third-party wallets, public chains, and external markets.
Why it matters: Many security failures occur at boundaries rather than inside a single isolated component.
Threat Model
Definition: A structured description of likely adversaries, realistic attack paths, protected assets, and acceptable or unacceptable failure modes.
Why it matters: The threat model determines what must be mitigated, monitored, restricted, or accepted as residual risk.
Attack Surface
Definition: The total set of entry points, interfaces, services, dependencies, workflows, or behaviors an attacker could target.
Why it matters: Reducing attack surface is often safer than piling more complex controls onto an already exposed design.
Least Privilege
Definition: A security principle where users, services, keys, and processes receive only the permissions they actually need, for only as long as they need them.
Why it matters: It limits blast radius when any single identity, service, or signer is compromised.
Defense in Depth
Definition: A layered security model where prevention, detection, response, and recovery controls reinforce one another instead of relying on one control to be perfect.
Why it matters: Real systems fail; layered controls make those failures survivable rather than catastrophic.
Invariant
Definition: A property that should remain true under all normal system conditions, such as “critical ledger history is forward-only” or “unsupported payment contexts should not be settled as valid.”
Why it matters: Security monitoring is often strongest when it checks invariant breakage rather than vague anomalies alone.
Identity & authentication
Passkey
Definition: A phishing-resistant authentication credential based on public-key cryptography, usually stored in a secure device element or managed credential system.
Why it matters: Passkeys reduce password reuse, credential stuffing, and many common phishing patterns.
WebAuthn
Definition: A browser and platform authentication standard used to support passkey-style sign-in and other public-key based login flows.
Why it matters: It enables strong authentication without relying on shared static secrets.
FIDO2
Definition: A family of authentication standards that includes WebAuthn and related authenticator protocols designed to strengthen sign-in security.
Why it matters: It underpins widely supported strong-authentication patterns across modern platforms.
Authenticator
Definition: A device or software component that stores or produces authentication credentials, such as a platform authenticator or roaming security key.
Why it matters: Authentication strength depends partly on how well the authenticator itself is protected.
Relying Party (RP)
Definition: The service requesting authentication, which in this context is PVERSE operating under its official domain and identity.
Why it matters: Proper RP binding helps prevent credential reuse across fake or unrelated domains.
Phishing
Definition: A deceptive attempt to trick users into revealing secrets, approving malicious requests, or trusting a fake interface or message.
Why it matters: It remains one of the most common real-world causes of account compromise and wallet loss.
Session
Definition: A temporary authenticated state representing a user’s active interaction period with the platform.
Why it matters: A compromised session can have the same practical effect as an account takeover if not bounded well.
Session Hijacking
Definition: Unauthorized takeover of an authenticated session through cookie theft, token replay, or related session-control weakness.
Why it matters: Secure session handling is as important as strong login secrets.
Recovery & account continuity
Recovery Code
Definition: A high-entropy backup credential or restoration code intended for controlled account recovery when primary authentication is unavailable.
Why it matters: A recovery code should be protected almost as carefully as a private key because it may bypass ordinary access barriers.
Break-glass procedure
Definition: A controlled emergency path for restoring access when ordinary authentication fails or becomes unavailable.
Why it matters: Emergency paths are attractive targets and must be narrower and safer than routine access.
Rotation
Definition: The planned replacement of credentials, keys, codes, or secrets after time, use, suspicion of exposure, or policy change.
Why it matters: Rotation limits long-term exposure and reduces the value of previously compromised material.
Account Takeover (ATO)
Definition: Unauthorized control of an account with meaningful access, permissions, or platform significance.
Why it matters: ATO is often the first step toward theft, fraud, irreversible approvals, or downstream abuse.
Continuity
Definition: The degree to which account behavior, session behavior, and device behavior appear coherent and plausibly controlled by the same legitimate user over time.
Why it matters: Continuity helps distinguish stable account use from compromise, sharing, or suspicious automation.
Keys, wallets, and asset safety
Private Key
Definition: A secret cryptographic value that authorizes blockchain transactions and proves control over an address or signer.
Why it matters: If exposed, it may allow irreversible asset movement or privileged on-chain action.
Seed Phrase (Mnemonic)
Definition: A human-readable phrase representing the master secret from which wallet keys can be derived.
Why it matters: Anyone with the seed phrase may effectively control all derived wallets.
Hot Wallet
Definition: A wallet connected to or accessible from online systems, usually for operational convenience and speed.
Why it matters: Hot wallets are useful for operations but carry meaningfully higher compromise risk than colder custody tiers.
Cold Wallet
Definition: A wallet kept offline or under strong isolation to reduce remote compromise exposure.
Why it matters: Cold custody is an important boundary for reserves and other high-blast-radius assets.
Hardware Wallet
Definition: A physical device designed to store signing keys securely and authorize transactions in a safer execution environment.
Why it matters: It reduces many malware-driven theft paths, though it does not eliminate phishing or deceptive approval risk.
Multisig
Definition: A control scheme requiring multiple approvals or signatures before an action can execute.
Why it matters: It reduces single-key failure risk for treasury, admin, or other critical custody paths.
Token Allowance
Definition: A permission granting a contract the ability to spend a defined amount of a token from a wallet.
Why it matters: Unsafe approvals can be exploited even if the user never intended a direct transfer.
Approval
Definition: A blockchain action granting authorization, commonly to a token contract or application flow.
Why it matters: Many real losses occur through harmful approvals rather than obvious wallet-drain transactions.
Sign vs Send
Definition: “Sign” usually authorizes a message or intent, while “Send” usually broadcasts a state-changing blockchain transaction.
Why it matters: Users often underestimate the risk of signing non-obvious or deceptive payloads.
Custody Tier
Definition: A risk-based classification of wallet or signer exposure, such as cold, warm, or hot custody.
Why it matters: Asset safety depends on matching asset importance to the right custody boundary.
Web & application security
XSS (Cross-Site Scripting)
Definition: A vulnerability allowing attacker-controlled script to execute inside a trusted browser origin.
Why it matters: XSS can steal sessions, manipulate interface behavior, or deceive users into unsafe actions.
CSRF (Cross-Site Request Forgery)
Definition: A vulnerability where a user’s browser is tricked into sending unintended authenticated requests.
Why it matters: Without proper controls, a user may perform actions they did not actually mean to approve.
CSP (Content Security Policy)
Definition: A browser policy header restricting which scripts, frames, and resources can load or execute.
Why it matters: CSP helps reduce the damage potential of XSS and unsafe script loading.
Rate Limiting
Definition: A control restricting request frequency to reduce abuse, brute-force behavior, scraping, or service exhaustion.
Why it matters: It slows attackers and helps preserve system availability under stress.
WAF (Web Application Firewall)
Definition: A filtering layer used to detect or block known malicious web traffic patterns.
Why it matters: It can reduce common attack noise, though it is not a substitute for secure code.
Supply-chain Risk
Definition: Security risk introduced through dependencies, vendors, build tooling, delivery pipelines, or other third-party components.
Why it matters: A compromised dependency can affect users even when first-party code looks clean.
Blockchain & market risks
Front-running
Definition: Executing ahead of a victim’s transaction after observing pending intent and paying to gain priority.
Why it matters: It can worsen execution quality, increase slippage, or create extractive trading conditions.
Sandwich Attack
Definition: An attack where an adversary places one transaction before and one after a victim transaction to profit from the victim’s price impact.
Why it matters: It is one of the clearest real-world expressions of MEV pressure on public chains.
MEV (Maximal or Minimal Extractable Value)
Definition: Value extracted by reordering, inserting, censoring, or strategically positioning transactions within a block or execution flow.
Why it matters: MEV affects fairness, execution quality, and the real cost of public-chain interaction.
Liquidity
Definition: The practical ability to buy or sell an asset without causing excessive price impact.
Why it matters: Thin liquidity increases slippage, instability, and exit uncertainty.
Slippage
Definition: The difference between expected execution price and actual execution price.
Why it matters: Wide slippage tolerance can expose users to worse execution or exploitative routing.
Rug Pull
Definition: A scam or abuse pattern where project control, liquidity control, or user trust is exploited to inflict loss on participants.
Why it matters: It is a common reminder that visible tokens, markets, and websites are not enough to prove legitimacy.
Imposter Token
Definition: A fake or misleading token using similar branding, symbols, or presentation to imitate a legitimate project.
Why it matters: Buying or approving the wrong contract is often irreversible.
Audit & verification terms
Security Audit
Definition: A structured review of code, architecture, assumptions, or control design intended to identify weaknesses and reduce risk.
Why it matters: Audits reduce risk but do not prove the total absence of bugs or exploit paths.
Formal Verification
Definition: The mathematical proof of specific code properties under explicit assumptions and modeled conditions.
Why it matters: It can provide very strong guarantees for narrow invariants, but it is only as complete as its scope and assumptions.
Monitoring
Definition: Continuous collection and analysis of logs, metrics, alerts, events, or on-chain signals to detect abnormal behavior.
Why it matters: Fast detection often determines whether an incident remains small or becomes materially damaging.
Verification-first
Definition: A design philosophy where important platform claims are tied as closely as possible to evidence rather than private assertion alone.
Why it matters: Verification-first systems reduce blind trust and make high-impact states easier to audit later.
Forward-only Record
Definition: A record model where corrections and updates are expressed as new entries or explicit state transitions instead of silent rewrites.
Why it matters: It preserves history, improves auditability, and reduces ambiguity after disputes or incidents.
Privacy & data terms
PII (Personally Identifiable Information)
Definition: Data that can identify a person directly or indirectly, such as an email address, phone number, or government-linked identifier.
Why it matters: Collecting and retaining more PII usually increases compliance burden and breach impact.
Data Minimization
Definition: The practice of collecting only necessary data, limiting retention, and restricting access to what is actually needed.
Why it matters: Less retained sensitive data means less exposure when systems or processes fail.
Pseudonymous
Definition: Not directly named, yet still potentially linkable to a person or activity pattern through surrounding context.
Why it matters: “Not directly identifying” does not automatically mean “private.”
Telemetry
Definition: Product, system, or reliability signals collected to improve security, stability, and performance.
Why it matters: Telemetry can become sensitive if designed carelessly, so minimization still matters.
Incident response
Security Incident
Definition: An event threatening the confidentiality, integrity, or availability of systems, accounts, assets, or operational controls.
Why it matters: Clear incident definitions improve response speed and escalation discipline.
Severity
Definition: A classification of impact and urgency, often expressed through levels such as critical, high, medium, or low.
Why it matters: Severity helps limited attention focus on the most dangerous issues first.
Responsible Disclosure
Definition: The practice of reporting vulnerabilities privately so remediation can occur before public exposure where possible.
Why it matters: It reduces exploitation windows and helps protect users during the fix cycle.
Containment
Definition: The immediate effort to stop an incident from spreading or causing additional damage after detection.
Why it matters: Strong containment often matters more than perfect diagnosis in the first moments of a real incident.
External markets
Official Links
Definition: Project-controlled sources of truth for canonical domains, policies, contract references, and verified announcements.
Why it matters: Official links reduce exposure to impersonation, fake tokens, and false market references.
Third-party Risk
Definition: Risk introduced by external services such as exchanges, bridges, wallets, RPC providers, hosting vendors, or analytics providers.
Why it matters: External failures can impact users and platform behavior even when first-party systems remain healthy.
Counterparty Risk
Definition: The risk that another party or dependency in a transaction or process fails to perform as expected.
Why it matters: In crypto-native environments, counterparties may include service providers, liquidity venues, bridges, or infrastructure dependencies.
Change log
- 2026-03-22: Updated glossary to the current PVERSE Security docs template and aligned terms with the latest Security section language.
- 2026-02-12: Initial glossary for Security docs.