An official OWASP community project mapping the security risks of the quantum era in a practical, vendor-neutral, and risk-based way - the antidote to hype and fear.
Status: Bootstrap phase. The OWASP Top 10 for Quantum Security Risks is at draft v0.1 and open for community input. It is our starting point, not the finished list.
NIST, the UK NCSC, and EU institutions have all issued concrete guidance on post-quantum cryptography, crypto-agility, and harvest-now-decrypt-later mitigation - while quantum systems themselves move from research into cloud and enterprise environments. Yet security teams still face three gaps:
- No concise, prioritised view of quantum security risks.
- No widely adopted threat model for quantum platforms.
- Organisational readiness and platform security are treated separately.
This project closes those gaps with work that is:
- Practical and immediate - helping defenders act on quantum risk today, not in a decade.
- Systematic and risk-based - mapping the landscape in a structured, prioritised way.
- Actionable and grounded - tied to recognised guidance from NIST, NCSC, and the EU.
- One community - connecting research, industry, and practitioners in a shared effort.
| Track | Focus | Key deliverables |
|---|---|---|
| Track 1 (primary, year one) | Quantum security risks & readiness | OWASP Top 10 for Quantum Security Risks, mitigation guidance, and a Quantum Readiness Assessment Assistant |
| Track 2 (parallel) | Quantum platform threat modeling | Threat models, reference architectures, attack-surface mapping, and secure-design guidance for quantum platforms |
- John Sotiropoulos
- Roy Barkay
The project runs expert-backed and community-driven, with open and transparent peer review and project-lead sign-off. Additional working-group and entry leads are being onboarded as the project matures.
Draft v0.1. Each entry lives under quantum-top-10/.
QS01-QS07 address the migration surface - risks to organisations whose existing classical cryptography must be replaced with post-quantum equivalents. QS08-QS10 address the platform surface - risks to organisations running workloads on quantum computing platforms.
| ID | Risk | Primary anchor |
|---|---|---|
| QS01 | Harvest-Now-Decrypt-Later Exposure | EU Roadmap end-2030; NCSC 2031; NSM-10 |
| QS02 | Long-Lived Sensitive Data | Mosca's inequality; EU Roadmap end-2030 |
| QS03 | Vulnerable Signatures and Code-Signing | NSA CNSA 2.0 by 2030; CRA Annex I |
| QS04 | Absent Cryptographic Inventory and CBOM | NCSC 2028; EU Roadmap end-2026 |
| QS05 | Crypto-Agility Failures | NIS2 Article 21(2)(h); IETF PQUIP/TLS WG |
| QS06 | Insecure Migration and Hybrid Misuse | EU Roadmap end-2030 standalone-classical prohibition |
| QS07 | Hardware Roots of Trust | NCSC 2028 milestone; CRA Annex IV |
| QS08 | QPU Tenant Isolation Failures | Li et al. NDSS 2025; Xu et al. CCS 2023 |
| QS09 | Toolchain and Compiler Compromise | Suresh et al. HASP 2021; Chu et al. ICASSP 2023 |
| QS10 | Side-Channel and Control-Plane Exposure | Mi et al. CCS 2022; Xu et al. CCS 2023 |
Each entry follows a common template: description, common examples, prevention, example attack scenarios, references, and a standards-and-regulatory mapping.
The project runs a monthly community call, with additional calls on demand as the
work picks up. Decks for every call are published in calls/, starting
with the project kick-off deck; decks for subsequent calls are added there as they
happen.
Feedback and contributions are welcome - this is a community project and the Top 10 is explicitly a draft opened for discussion.
1. Clone the repository
git clone https://github.com/OWASP/quantum-security-project.git
cd quantum-security-project2. Propose a change with a pull request
git checkout -b my-contribution
# edit or add entries under quantum-top-10/ (start from _template.md for new risks)
git commit -am "Describe your change"
git push -u origin my-contributionThen open a pull request against main. Please ground new or revised content in
published standards, regulation, or peer-reviewed research, and keep the project
vendor-neutral.
3. Or share feedback via GitHub Issues
Prefer to discuss before writing a change? Open an issue to suggest a candidate risk, flag an error, question the selection or ordering, or start a conversation. Issues are the best place for feedback that isn't yet a concrete edit.
Quick submission forms
During the bootstrap phase you can also contribute via these forms without using GitHub:
- Top 10 for Quantum Security - candidate risks & feedback
- Work Areas & Proposals - propose a topic or working area
- Homepage: quantum-owasp.org
- GitHub: github.com/OWASP/quantum-security-project
- OWASP Slack:
#project-quantum-security- join the OWASP Slack - Email: contribute@quantum-owasp.org
The project follows OWASP's standard documentation and contribution practices, including the OWASP Code of Conduct and vendor neutrality.
Content is released under the Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA 4.0) license.