Security
This is Shorebird’s public security policy for the Shorebird system and products. This document exists to educate Shorebird employees and to serve as a reference for customers.
Authorship and change history for this policy are visible in the git history of this document.
Management reviews this document annually. Last Reviewed: April 2025.
Changes or exceptions to these policies should be reviewed by the CEO.
About Shorebird
Section titled “About Shorebird”Shorebird is a software application. Most of its code is open source and publicly reviewable on GitHub. Shorebird uses Google Cloud for the bulk of its infrastructure.
Shorebird takes security very seriously, taking several steps to protect the data you give it, requiring only data that is absolutely necessary for product functionality, and ensuring that only you can publish changes to your account and applications.
Shorebird only offers a hosted service at this time and does not currently offer on-prem or cloud-prem solutions.
Company security policy
Section titled “Company security policy”This document is focused on the specifics of the Shorebird system and product. If there are questions that relate to the overall company security policy, please refer to the Compliance section in the Shorebird Handbook.
Throughout this document, the following terms are used:
- Customer / you: A user of Shorebird.
- End User: A user of a Customer’s application.
Acceptable use
Section titled “Acceptable use”Use of Shorebird is governed by the Terms of Service. Logging and alerting are in place to ensure the service is not used for malicious purposes or in a way that would disrupt the service for other users.
Infrastructure
Section titled “Infrastructure”Shorebird is hosted on Google Cloud and uses Google Cloud’s security features to secure its infrastructure, including a dedicated VPC.
Currently, Shorebird only uses Google Cloud’s Iowa region, with plans to expand to other regions in the future for international customers.
Shorebird uses Google Cloud’s managed services where possible, relying on Google Cloud to manage and update these services daily rather than managing custom versions of software or operating systems. For example, Shorebird’s application endpoints use Google Cloud Run, a managed service that lives no longer than an hour, allowing Google to continuously manage the underlying infrastructure including patching. Other parts of Shorebird’s infrastructure are similar.
Architecture
Section titled “Architecture”More detail on Shorebird’s architecture is available in the architecture documentation.
Shorebird servers
Section titled “Shorebird servers”shorebird tools communicate with Shorebird’s cloud on your behalf. Shorebird
exclusively uses public cloud infrastructure and does not maintain custom
servers, using Google Cloud and Cloudflare for all publicly accessible
endpoints.
The following URLs are used by Shorebird.
- https://console.shorebird.dev — used to interact with Shorebird’s services via the web.
- https://api.shorebird.dev — used by the
shorebirdcommand-line tools to interact with the Shorebird servers as well as the Shorebird updater on users’ devices to check for updates. - https://download.shorebird.dev — used by the
shorebirdcommand-line tool to download Flutter artifacts for building releases and patches. - https://storage.googleapis.com — used by the
shorebirdcommand-line tool to upload and download release and patch artifacts, and by the Shorebird updater on user’s devices to download the patches. - https://cdn.shorebird.cloud/ — used by the Shorebird updater when downloading patches to a user’s device.
Because all access is done via HTTPS to public cloud infrastructure, typically no specific access rules are required to access Shorebird servers from within a company network.
Product access control
Section titled “Product access control”Shorebird accounts are managed through Google or Microsoft SSO (OAuth). Shorebird intentionally does not support other access methods and does not store passwords for users.
Shorebird accounts provide role-based access control on a per-application basis, which is described in the Organizations product documentation.
Production access
Section titled “Production access”Shorebird uses Google Cloud IAM for access control and Google Cloud Logging for logging.
A small number of engineers have access to production systems, using a dedicated machine for that access. Production changes are all done via CI/CD pipelines, as detailed in the Change Management section.
Shorebird has an additional (read-only) admin layer to a subset of its production systems for monitoring and support purposes.
Network access
Section titled “Network access”Shorebird is a web application that uses HTTPS for all communication with customers, using Google Cloud’s managed SSL certificates for this.
Use of Shorebird requires access to the following web addresses:
api.shorebird.devconsole.shorebird.devstorage.googleapis.comcdn.shorebird.cloud
Only the https port should be needed for access to Shorebird.
See also https://docs.shorebird.dev/faq/#can-i-use-shorebird-in-my-country.
User access review
Section titled “User access review”User access to Shorebird’s systems is reviewed periodically, as well as when an employee joins or leaves the company. All access to Shorebird systems is gated through Google SSO, including required two-factor authentication.
Network security
Section titled “Network security”Both Shorebird’s application and infrastructure are hosted on Google Cloud, using Google Cloud’s network security features to secure the infrastructure, including restricting all public access outside of the application endpoint.
Dedicated machines are used for direct access to the production environment; access is restricted to a small number of engineers and is logged.
Intrusion detection / prevention / monitoring
Section titled “Intrusion detection / prevention / monitoring”Shorebird relies on Google Cloud network security for network-level intrusion detection. All actions within Shorebird’s systems are logged and regularly reviewed, and alerting is maintained and delivered to the engineering team for both web products and backend database and servers.
Change management
Section titled “Change management”Code reviews
Section titled “Code reviews”All code should be reviewed by at least one other engineer before being merged. Branch policies are in place on all repositories to ensure this. This is done in service of security, but also in service of code quality — code reviews are the best way to ensure that code is secure, maintainable, and understandable.
Dependencies
Section titled “Dependencies”Dependencies are kept up to date. All repositories are expected to use Dependabot to automatically open pull requests for dependency updates.
All production code has 100% test coverage. Automated tests are in place to ensure that changes do not break the application. Debugging or non-production code is not required to have 100% test coverage.
Deployment
Section titled “Deployment”All changes to production are deployed through a CI/CD pipeline using GitHub Actions. A staging environment is used for testing changes before they’re deployed to production.
The CI/CD pipeline runs tests, linters, and other checks before deploying to production, and is configured with unique service accounts that have the minimum permissions necessary to deploy to production.
Rollbacks
Section titled “Rollbacks”Changes to production can be rolled back. Typically this is done via a revert commit and a new deployment; however, individual services in the infrastructure can also be rolled back to previous versions if necessary.
Incident response
Section titled “Incident response”Shorebird has a private playbook for incident response, with logging and alerting in place to detect and respond to incidents. Dedicated private channels on Discord are used for response, along with back-up text communication pathways and phone numbers for all engineers.
There is not currently separate incident tracking beyond Shorebird’s public GitHub. Customers affected by incidents (security or otherwise) have always been notified via their billing email address, and this will continue going forward.
Post-mortems
Section titled “Post-mortems”A post-mortem process is in place for incidents. A post-mortem is prepared for all incidents within 48 hours of their occurrence and used to improve systems and processes. Post-mortems are not currently shared publicly, although this is being considered for the future.
Data usage & security
Section titled “Data usage & security”Data privacy
Section titled “Data privacy”See the privacy policy: https://shorebird.dev/privacy
The information collected from you is used to provide the service to you. It is not sold or shared with third parties, except as required by law. Your data is stored in association with your account and deleted when you delete your account.
Shorebird does not process, transmit, or store personally identifiable information for customers’ end users, and takes care to store as little data from customers (you) as possible.
Data retention
Section titled “Data retention”Customer data is retained for as long as you have an account with Shorebird. Customers are able to access and delete their data at any time. Aggregated, anonymized data is retained for analytics purposes beyond termination of your account.
Customers can delete almost all information in their account by hand; however, deleting the final database row requires contacting support at this time: https://docs.shorebird.dev/uninstall/
See the privacy policy for more information: https://shorebird.dev/privacy
Data security
Section titled “Data security”Shorebird uses Google Cloud’s managed services for backups. This data (as well as all data in Google Cloud) is encrypted at rest. https://cloud.google.com/docs/security/encryption-in-transit https://cloud.google.com/docs/security/encryption/default-encryption
Shorebird is not aware of any past data breaches of any form. In the event of a breach, all customers will be notified promptly unless otherwise required by local law enforcement.
Data separation
Section titled “Data separation”Shorebird does not currently use per-tenant data storage. It uses a single, secured, non-publicly-reachable database (AlloyDB) for all system data, and a variety of private cloud buckets for storing customer data files, currently segmented by purpose rather than customer/tenant.
As noted elsewhere, Shorebird does not store any information about your customers.
Customer data stored for you is limited to your email addresses and the data files you have created within the service. Stripe stores your billing information on Shorebird’s behalf.
Confidentiality
Section titled “Confidentiality”Shorebird’s Terms of Service and Privacy Policy cover its obligations to you as a customer.
Customer Data (data about you as a user of Shorebird)
Section titled “Customer Data (data about you as a user of Shorebird)”In general, customer data is not accessed unless required as part of providing you support or monitoring the service for usage and security.
Customer data is treated as confidential, with logging in place to detect unauthorized access. Customer data may be accessed by employees as part of providing support to you.
Customer data is not shared with third parties except as required by law. A few third-party services are used to run the business; see the privacy policy for the list of vendors: https://shorebird.dev/privacy/
Very little data is stored for or about customers. Examples of customer data stored include:
- Email address and Name
- Stripe Customer ID (payment information is not stored)
- Built applications archives (e.g.,
.xcarchive,.aabfor Releases and Patches) - Release Metadata (e.g., Flutter version, Xcode version, Java version, etc.)
Shorebird servers never see or store your source code. All shorebird commands
run locally on devices you control and only upload the built application
archives (same binaries you distribute to stores and your users) to Shorebird’s
servers for your later use or distribution.
Google Cloud encrypts all data at rest by default.
End user data (data about Shorebird’s customers’ end users)
Section titled “End user data (data about Shorebird’s customers’ end users)”Shorebird does not process, transmit or store personally identifiable information for customers’ end users, and does not have access to end user data. Customer security forms often ask for information about how Shorebird handles end user data — it does not handle end user data.
Some regions consider IP addresses to be personally identifiable information, Google Cloud does record IP addresses in logs. These IP addresses in logs are not accessed for any purpose other than security and monitoring.
Shorebird’s product allows you, and only you, to update the code of your application on end user devices. Shorebird does not collect or wish to collect any information from these users or devices.
Third-party assessments
Section titled “Third-party assessments”Shorebird has no third-party security, network, or other assessments to share at this time. Some larger customers have performed their own audits of the provided infrastructure, and adjustments have been made based on their feedback when appropriate.
As noted in other parts of this document, Shorebird intentionally does not run its own servers or build its own network infrastructure, relying instead on Google and Cloudflare servers and networks to reduce total exposure and upgrade/maintenance burdens.
Bug bounty
Section titled “Bug bounty”Shorebird does not currently offer a bug bounty program, but welcomes reports of security vulnerabilities. Please see the Vulnerability Management Policy for more details.