main is a landing-page branch with no TEE code; the code that needs auditing lives on other branches (notably experimental-web3). For a brief map of those scanning targets and the per-platform trust-boundary references, see docs/security-model.md.

We take a very active stance in eliminating security problems in Teaclave. We strongly encourage folks to report such problems to our private mailing list first (private@teaclave.apache.org), before disclosing them in a public forum.