PVERSE
Security

Glossary

Definitions for security and trust terms used across PVERSE Docs, including passkeys, recovery, threat modeling, audits, privacy, blockchain risk, and external-market safety.

Published: March 22, 2026
Updated: March 22, 2026
Section: Security
Scope
This glossary explains terms as they are used across PVERSE Security docs. It is a reference layer, not legal, financial, or security advice. If a definition here conflicts with a canonical policy page, the canonical policy page takes precedence.

How to use this glossary

  • Fast reading: skim the term names first and use the first sentence as the working definition.
  • Deep reading: use the “Why it matters” lines to understand the operational security impact.
  • Cross-reference: terms are written to align with pages such as Account Security, Authentication & Recovery, Threat Model, Audit & Verification, Privacy, and Risk Disclosure.

Core concepts

Security Boundary

Definition: The line separating what PVERSE can directly enforce from what it cannot fully control, such as user devices, third-party wallets, public chains, and external markets.

Why it matters: Many security failures occur at boundaries rather than inside a single isolated component.

Threat Model

Definition: A structured description of likely adversaries, realistic attack paths, protected assets, and acceptable or unacceptable failure modes.

Why it matters: The threat model determines what must be mitigated, monitored, restricted, or accepted as residual risk.

Attack Surface

Definition: The total set of entry points, interfaces, services, dependencies, workflows, or behaviors an attacker could target.

Why it matters: Reducing attack surface is often safer than piling more complex controls onto an already exposed design.

Least Privilege

Definition: A security principle where users, services, keys, and processes receive only the permissions they actually need, for only as long as they need them.

Why it matters: It limits blast radius when any single identity, service, or signer is compromised.

Defense in Depth

Definition: A layered security model where prevention, detection, response, and recovery controls reinforce one another instead of relying on one control to be perfect.

Why it matters: Real systems fail; layered controls make those failures survivable rather than catastrophic.

Invariant

Definition: A property that should remain true under all normal system conditions, such as “critical ledger history is forward-only” or “unsupported payment contexts should not be settled as valid.”

Why it matters: Security monitoring is often strongest when it checks invariant breakage rather than vague anomalies alone.

Identity & authentication

Passkey

Definition: A phishing-resistant authentication credential based on public-key cryptography, usually stored in a secure device element or managed credential system.

Why it matters: Passkeys reduce password reuse, credential stuffing, and many common phishing patterns.

WebAuthn

Definition: A browser and platform authentication standard used to support passkey-style sign-in and other public-key based login flows.

Why it matters: It enables strong authentication without relying on shared static secrets.

FIDO2

Definition: A family of authentication standards that includes WebAuthn and related authenticator protocols designed to strengthen sign-in security.

Why it matters: It underpins widely supported strong-authentication patterns across modern platforms.

Authenticator

Definition: A device or software component that stores or produces authentication credentials, such as a platform authenticator or roaming security key.

Why it matters: Authentication strength depends partly on how well the authenticator itself is protected.

Relying Party (RP)

Definition: The service requesting authentication, which in this context is PVERSE operating under its official domain and identity.

Why it matters: Proper RP binding helps prevent credential reuse across fake or unrelated domains.

Phishing

Definition: A deceptive attempt to trick users into revealing secrets, approving malicious requests, or trusting a fake interface or message.

Why it matters: It remains one of the most common real-world causes of account compromise and wallet loss.

Session

Definition: A temporary authenticated state representing a user’s active interaction period with the platform.

Why it matters: A compromised session can have the same practical effect as an account takeover if not bounded well.

Session Hijacking

Definition: Unauthorized takeover of an authenticated session through cookie theft, token replay, or related session-control weakness.

Why it matters: Secure session handling is as important as strong login secrets.

Recovery & account continuity

Recovery Code

Definition: A high-entropy backup credential or restoration code intended for controlled account recovery when primary authentication is unavailable.

Why it matters: A recovery code should be protected almost as carefully as a private key because it may bypass ordinary access barriers.

Break-glass procedure

Definition: A controlled emergency path for restoring access when ordinary authentication fails or becomes unavailable.

Why it matters: Emergency paths are attractive targets and must be narrower and safer than routine access.

Rotation

Definition: The planned replacement of credentials, keys, codes, or secrets after time, use, suspicion of exposure, or policy change.

Why it matters: Rotation limits long-term exposure and reduces the value of previously compromised material.

Account Takeover (ATO)

Definition: Unauthorized control of an account with meaningful access, permissions, or platform significance.

Why it matters: ATO is often the first step toward theft, fraud, irreversible approvals, or downstream abuse.

Continuity

Definition: The degree to which account behavior, session behavior, and device behavior appear coherent and plausibly controlled by the same legitimate user over time.

Why it matters: Continuity helps distinguish stable account use from compromise, sharing, or suspicious automation.

Keys, wallets, and asset safety

Private Key

Definition: A secret cryptographic value that authorizes blockchain transactions and proves control over an address or signer.

Why it matters: If exposed, it may allow irreversible asset movement or privileged on-chain action.

Seed Phrase (Mnemonic)

Definition: A human-readable phrase representing the master secret from which wallet keys can be derived.

Why it matters: Anyone with the seed phrase may effectively control all derived wallets.

Hot Wallet

Definition: A wallet connected to or accessible from online systems, usually for operational convenience and speed.

Why it matters: Hot wallets are useful for operations but carry meaningfully higher compromise risk than colder custody tiers.

Cold Wallet

Definition: A wallet kept offline or under strong isolation to reduce remote compromise exposure.

Why it matters: Cold custody is an important boundary for reserves and other high-blast-radius assets.

Hardware Wallet

Definition: A physical device designed to store signing keys securely and authorize transactions in a safer execution environment.

Why it matters: It reduces many malware-driven theft paths, though it does not eliminate phishing or deceptive approval risk.

Multisig

Definition: A control scheme requiring multiple approvals or signatures before an action can execute.

Why it matters: It reduces single-key failure risk for treasury, admin, or other critical custody paths.

Token Allowance

Definition: A permission granting a contract the ability to spend a defined amount of a token from a wallet.

Why it matters: Unsafe approvals can be exploited even if the user never intended a direct transfer.

Approval

Definition: A blockchain action granting authorization, commonly to a token contract or application flow.

Why it matters: Many real losses occur through harmful approvals rather than obvious wallet-drain transactions.

Sign vs Send

Definition: “Sign” usually authorizes a message or intent, while “Send” usually broadcasts a state-changing blockchain transaction.

Why it matters: Users often underestimate the risk of signing non-obvious or deceptive payloads.

Custody Tier

Definition: A risk-based classification of wallet or signer exposure, such as cold, warm, or hot custody.

Why it matters: Asset safety depends on matching asset importance to the right custody boundary.

Web & application security

XSS (Cross-Site Scripting)

Definition: A vulnerability allowing attacker-controlled script to execute inside a trusted browser origin.

Why it matters: XSS can steal sessions, manipulate interface behavior, or deceive users into unsafe actions.

CSRF (Cross-Site Request Forgery)

Definition: A vulnerability where a user’s browser is tricked into sending unintended authenticated requests.

Why it matters: Without proper controls, a user may perform actions they did not actually mean to approve.

CSP (Content Security Policy)

Definition: A browser policy header restricting which scripts, frames, and resources can load or execute.

Why it matters: CSP helps reduce the damage potential of XSS and unsafe script loading.

Rate Limiting

Definition: A control restricting request frequency to reduce abuse, brute-force behavior, scraping, or service exhaustion.

Why it matters: It slows attackers and helps preserve system availability under stress.

WAF (Web Application Firewall)

Definition: A filtering layer used to detect or block known malicious web traffic patterns.

Why it matters: It can reduce common attack noise, though it is not a substitute for secure code.

Supply-chain Risk

Definition: Security risk introduced through dependencies, vendors, build tooling, delivery pipelines, or other third-party components.

Why it matters: A compromised dependency can affect users even when first-party code looks clean.

Blockchain & market risks

Front-running

Definition: Executing ahead of a victim’s transaction after observing pending intent and paying to gain priority.

Why it matters: It can worsen execution quality, increase slippage, or create extractive trading conditions.

Sandwich Attack

Definition: An attack where an adversary places one transaction before and one after a victim transaction to profit from the victim’s price impact.

Why it matters: It is one of the clearest real-world expressions of MEV pressure on public chains.

MEV (Maximal or Minimal Extractable Value)

Definition: Value extracted by reordering, inserting, censoring, or strategically positioning transactions within a block or execution flow.

Why it matters: MEV affects fairness, execution quality, and the real cost of public-chain interaction.

Liquidity

Definition: The practical ability to buy or sell an asset without causing excessive price impact.

Why it matters: Thin liquidity increases slippage, instability, and exit uncertainty.

Slippage

Definition: The difference between expected execution price and actual execution price.

Why it matters: Wide slippage tolerance can expose users to worse execution or exploitative routing.

Rug Pull

Definition: A scam or abuse pattern where project control, liquidity control, or user trust is exploited to inflict loss on participants.

Why it matters: It is a common reminder that visible tokens, markets, and websites are not enough to prove legitimacy.

Imposter Token

Definition: A fake or misleading token using similar branding, symbols, or presentation to imitate a legitimate project.

Why it matters: Buying or approving the wrong contract is often irreversible.

Audit & verification terms

Security Audit

Definition: A structured review of code, architecture, assumptions, or control design intended to identify weaknesses and reduce risk.

Why it matters: Audits reduce risk but do not prove the total absence of bugs or exploit paths.

Formal Verification

Definition: The mathematical proof of specific code properties under explicit assumptions and modeled conditions.

Why it matters: It can provide very strong guarantees for narrow invariants, but it is only as complete as its scope and assumptions.

Monitoring

Definition: Continuous collection and analysis of logs, metrics, alerts, events, or on-chain signals to detect abnormal behavior.

Why it matters: Fast detection often determines whether an incident remains small or becomes materially damaging.

Verification-first

Definition: A design philosophy where important platform claims are tied as closely as possible to evidence rather than private assertion alone.

Why it matters: Verification-first systems reduce blind trust and make high-impact states easier to audit later.

Forward-only Record

Definition: A record model where corrections and updates are expressed as new entries or explicit state transitions instead of silent rewrites.

Why it matters: It preserves history, improves auditability, and reduces ambiguity after disputes or incidents.

Privacy & data terms

PII (Personally Identifiable Information)

Definition: Data that can identify a person directly or indirectly, such as an email address, phone number, or government-linked identifier.

Why it matters: Collecting and retaining more PII usually increases compliance burden and breach impact.

Data Minimization

Definition: The practice of collecting only necessary data, limiting retention, and restricting access to what is actually needed.

Why it matters: Less retained sensitive data means less exposure when systems or processes fail.

Pseudonymous

Definition: Not directly named, yet still potentially linkable to a person or activity pattern through surrounding context.

Why it matters: “Not directly identifying” does not automatically mean “private.”

Telemetry

Definition: Product, system, or reliability signals collected to improve security, stability, and performance.

Why it matters: Telemetry can become sensitive if designed carelessly, so minimization still matters.

Incident response

Security Incident

Definition: An event threatening the confidentiality, integrity, or availability of systems, accounts, assets, or operational controls.

Why it matters: Clear incident definitions improve response speed and escalation discipline.

Severity

Definition: A classification of impact and urgency, often expressed through levels such as critical, high, medium, or low.

Why it matters: Severity helps limited attention focus on the most dangerous issues first.

Responsible Disclosure

Definition: The practice of reporting vulnerabilities privately so remediation can occur before public exposure where possible.

Why it matters: It reduces exploitation windows and helps protect users during the fix cycle.

Containment

Definition: The immediate effort to stop an incident from spreading or causing additional damage after detection.

Why it matters: Strong containment often matters more than perfect diagnosis in the first moments of a real incident.

External markets

Definition: Project-controlled sources of truth for canonical domains, policies, contract references, and verified announcements.

Why it matters: Official links reduce exposure to impersonation, fake tokens, and false market references.

Third-party Risk

Definition: Risk introduced by external services such as exchanges, bridges, wallets, RPC providers, hosting vendors, or analytics providers.

Why it matters: External failures can impact users and platform behavior even when first-party systems remain healthy.

Counterparty Risk

Definition: The risk that another party or dependency in a transaction or process fails to perform as expected.

Why it matters: In crypto-native environments, counterparties may include service providers, liquidity venues, bridges, or infrastructure dependencies.

Missing a term?
If a term appears in the Security docs and is not defined here yet, add it to this page and keep its meaning consistent with the canonical Security policy pages.

Change log

  • 2026-03-22: Updated glossary to the current PVERSE Security docs template and aligned terms with the latest Security section language.
  • 2026-02-12: Initial glossary for Security docs.