To support collaborative threat analysis, the alert repository will be published, at least partially, and thus made available to the attacker. In the worst case, the adversary may be able to compromise the alert repository and gain direct access to raw alerts reported to that repository. It is thus very important to ensure that alerts are reported in a sanitized form that preserves privacy of sensitive information about the producer's network. In this section, we outline the goals of a typical attacker and the means he or she may employ to subvert our alert sharing scheme.