Security

Security model

Shippie treats each tool as untrusted until the platform can verify how it should run. The container uses iframe boundaries, package receipts, app metadata, and explicit bridge APIs so tools ask for capabilities instead of reaching across the shell.

What we check

The platform scans deploys and generated packages for device support, external domains, local-data signals, security posture, and container compatibility. Runtime proof badges are earned only after Shippie observes a capability working on real devices.

• Package hashes and package metadata help users identify the version they opened.
• External domains and declared permissions are surfaced on app detail pages where available.
• Private-space invites and app grants are scoped rather than global account permissions.

Responsible disclosure

Please report suspected vulnerabilities to security@shippie.app. Include affected URLs, reproduction steps, expected impact, and whether you accessed any data that was not yours.

Do not run destructive tests, exfiltrate user data, interrupt service, or publicly disclose an issue before we have had a reasonable chance to investigate and fix it.

Current launch posture

Shippie is a web app platform. Browser isolation, Cloudflare Workers, package metadata, local storage boundaries, and user-visible capability surfaces are the core protections. Native app-store review is not part of the launch model.

No platform can guarantee absolute security. Shippie reduces default cloud exposure, makes data movement visible, and treats vulnerability reports as launch-critical.