Add security page #327
Add security page #327
Conversation
| @@ -136,6 +136,10 @@ export default defineConfig({ | |||
| label: 'Status', | |||
| link: '/status', | |||
| }, | |||
| { | |||
| label: 'Security', | |||
| link: '/security', | |||
There was a problem hiding this comment.
Is this PR meant to replace the one for shorebird.dev/security? Or are the two meant to co-exist? If so what's the difference in the content?
There was a problem hiding this comment.
They're meant to coexist. The handbook describes a policy , this document is meant to be more developer facing and to answer specific questions.
|
|
||
| ## Release Artifact Privacy | ||
|
|
||
| Your release artifacts (created by `shorebird release`) are hosted privately on |
There was a problem hiding this comment.
Importantly the Release artifacts are the same ones they publish to the stores.
| Over the air: | ||
|
|
||
| 1. Patches are not full artifacts; rather, they are binary diffs. To create a | ||
| patch, you need access to the release artifact, which is private. |
There was a problem hiding this comment.
Release's made to the stores are public, so it's easy to get that release artifact.
| 1. When the app boots, we ensure that the inflated patch is the same size as it | ||
| was when it was first inflated. If the size has changed, we will not attempt | ||
| to boot it. | ||
| 2. (Optional) you can opt in to patch signing. This involves including a private |
There was a problem hiding this comment.
This is the main protection, and really needs to be default. We should pitch it as though it is the recommended option/default.
| This is the highest level of security for patches. Read more about it | ||
| [here](/guides/patch-signing). | ||
|
|
||
| ## Data privacy |
There was a problem hiding this comment.
I might lead with this section. Our privacy stance informs our risk-area of security.
|
|
||
| ## Shorebird on the public cloud | ||
|
|
||
| While we do not offer SOC2, ISO 27001 certifications, Shorebird exclusively |
There was a problem hiding this comment.
We should say that we're in the process of doing our ISO 27001 certification (I just have to sign the contract in my inbox), expected Q2 2025.
Status
READY
Description
Adds a security page that answers some of the more common questions we get about security.