From 022beb80639190a4e47734e673dd6ab65a0a1172 Mon Sep 17 00:00:00 2001
From: Bryan Oltman <bryan@shorebird.dev>
Date: Tue, 14 Jan 2025 15:00:18 -0500
Subject: [PATCH 1/3] Add security page

---
 astro.config.mjs             |  4 +++
 src/content/docs/security.md | 66 ++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 src/content/docs/security.md

diff --git a/astro.config.mjs b/astro.config.mjs
index 358d2bae..698e2c37 100644
--- a/astro.config.mjs
+++ b/astro.config.mjs
@@ -136,6 +136,10 @@ export default defineConfig({
           label: 'Status',
           link: '/status',
         },
+        {
+          label: "Security",
+          link: "/security",
+        },
         {
           label: 'Billing',
           link: '/billing',
diff --git a/src/content/docs/security.md b/src/content/docs/security.md
new file mode 100644
index 00000000..36b9fee5
--- /dev/null
+++ b/src/content/docs/security.md
@@ -0,0 +1,66 @@
+---
+title: Security
+description: Security
+---
+
+Shorebird takes security very seriously. We take several steps to make sure that
+we protect the data you give us, that only you can publish changes to your app,
+and that the patches your users get are the same ones you created.
+
+## Release Artifact Privacy
+
+Your release artifacts (created by `shorebird release`) are hosted privately on
+GCP and are not publicly visible. When they need to be downloaded by you (to run
+`shorebird preview`, for example), we generate a signed URL that requires your
+auth credentials and expires after a short period of time.
+
+## Patch Integrity
+
+The most common security question we get is: How do you verify that the patches
+our users are downloading are the ones that I created and that they haven't been
+tampered with?
+
+We ensure the integrity of patches in several ways.
+
+Over the air:
+
+1. Patches are not full artifacts; rather, they are binary diffs. To create a
+   patch, you need access to the release artifact, which is private.
+2. When a patch is "inflated" (i.e., the binary diff is applied to the base
+   release), we verify that the md5 hash of the _inflated_ patch matches what is
+   in the patch check response.
+
+On device:
+
+1. When the app boots, we ensure that the inflated patch is the same size as it
+   was when it was first inflated. If the size has changed, we will not attempt
+   to boot it.
+2. (Optional) you can opt in to patch signing. This involves including a private
+   key with your release and signing your patches when you create them. If a
+   patch is signed, we verify its signature before attempting to boot from it.
+   This is the highest level of security for patches. Read more about it
+   [here](/guides/patch-signing).
+
+## Data privacy
+
+Shorebird is committed to privacy and provides a high standard of privacy
+protection to all our customers and their customers. We never collect data from
+your customers, and only collect the data necessary from you to provide services
+to you. We take care to protect your data that you entrust with us.
+
+Read our [privacy policy](/privacy).
+
+## Shorebird on the public cloud
+
+While we do not offer SOC2, ISO 27001 certifications, Shorebird exclusively
+relies on vendors who do. Shorebird explicitly does _not_ build its own servers
+or data storage, relying only on public cloud vendors with rigorous security
+such as CloudFlare and Google Cloud.
+
+## Learn more
+
+Read our [public security policies](https://handbook.shorebird.dev/security).
+
+## Other questions?
+
+Feel free to contact us at contact@shorebird.dev or reach out to us on Discord.

From 73afda543569bce3f4b65e42526b811da0a2d2ad Mon Sep 17 00:00:00 2001
From: Bryan Oltman <bryan@shorebird.dev>
Date: Tue, 14 Jan 2025 15:02:26 -0500
Subject: [PATCH 2/3] use single quotes

---
 astro.config.mjs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/astro.config.mjs b/astro.config.mjs
index 698e2c37..e1f9e900 100644
--- a/astro.config.mjs
+++ b/astro.config.mjs
@@ -137,8 +137,8 @@ export default defineConfig({
           link: '/status',
         },
         {
-          label: "Security",
-          link: "/security",
+          label: 'Security',
+          link: '/security',
         },
         {
           label: 'Billing',

From 558046c092a3c3452e219250589f0d4342016518 Mon Sep 17 00:00:00 2001
From: Bryan Oltman <bryan@shorebird.dev>
Date: Tue, 14 Jan 2025 15:04:33 -0500
Subject: [PATCH 3/3] fix privacy policy link

---
 src/content/docs/security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/security.md b/src/content/docs/security.md
index 36b9fee5..74c87fbc 100644
--- a/src/content/docs/security.md
+++ b/src/content/docs/security.md
@@ -48,7 +48,7 @@ protection to all our customers and their customers. We never collect data from
 your customers, and only collect the data necessary from you to provide services
 to you. We take care to protect your data that you entrust with us.
 
-Read our [privacy policy](/privacy).
+Read our [privacy policy](https:/shorebird.dev/privacy).
 
 ## Shorebird on the public cloud