For the SDK's trust model, trust boundaries (Normal World vs. Secure World), and security assumptions — including guidance for developers and automated security reviewers — see docs/security-model.md.

We take a very active stance in eliminating security problems in Teaclave. We strongly encourage folks to report such problems to our private mailing list first (private@teaclave.apache.org), before disclosing them in a public forum.