Much is now understood about how to develop software that will have good security properties in use. We claim that a topic which needs more attention, in particular from the Bx community, is security, especially confidentiality, in the software development process itself. What is then at issue is not what particular users of the software may be allowed to know, but rather, what particular developers of the software may be allowed to know. How can software development processes guarantee to respect confidentiality without compromising effective development? The question is of general interest across software engineering, but model-driven development (MDD) seems a particularly promising arena in which to address it, because of MDD’s focus on separation of concerns. In MDD, different people work with separate models, where (ideally) each model records all and only the information necessary to those who work with it. When necessary, the models are reconciled by bidirectional transformations, which automate a process which would otherwise have to be undertaken manually by the groups of experts meeting and studying both their models in order to bring them back into consistency. In model-driven development confidentiality issues become particularly clear and tractable, and bidirectional transformations have a key technical role. We hope to encourage the community to take up this challenge, and in this paper we begin our own analysis of a selection of the issues, focusing particularly on developing a threat model and some examples of secure restoration of consistency.