Skip to content

Security: Dstack-TEE/dstack

SECURITY.md

Security

Use this file for vulnerability reports. For the security model, production guidance, audit, and already-answered public findings, start with Security Documentation.

Report a vulnerability

If you believe you found a vulnerability, please use GitHub's private security reporting features for this repository. If GitHub private reporting is unavailable, contact security@phala.network.

Do not open public GitHub issues for exploitable vulnerabilities or details that could help exploit production deployments.

Use private reporting for issues that could expose secrets, bypass attestation or authorization, compromise KMS keys, weaken workload isolation, or enable unauthorized code or configuration changes in production deployments.

Public security questions

Use public issues only for questions about documented behavior, documentation gaps, already-public findings, or hardening ideas that do not include an exploit path.

Before opening a public security question, check Public Security Reports. It records public report status and related hardening or roadmap work.

Production trust boundary

Development settings are not production-safe merely because they are present in the codebase. Production deployments must rely on measured configuration, expected TEE measurements, authorization policy, and attestation verification. The Security Model is the source of truth for what dstack treats as a production guarantee.

Learn more about advisories related to Dstack-TEE/dstack in the GitHub Advisory Database