Security Policy — Shoofly

What do we store?

We store the minimum necessary to operate the service:

Email address — provided at checkout via Stripe
Stripe session ID — to link purchases to install tokens

That's it. We do not store agent data, prompts, telemetry, logs, or any user activity. Shoofly runs locally on your machine — nothing phones home.

Where is data stored?

Our backend runs on Railway. Data is encrypted in transit (TLS) and at rest on Railway's infrastructure.

Reporting a vulnerability

If you discover a security vulnerability, please report it responsibly:

Email security@shoofly.dev with details of the vulnerability
Include steps to reproduce, if possible
Do not publicly disclose the issue until we've had a chance to address it

Our commitment:

We will acknowledge your report within 48 hours
We will work to fix confirmed vulnerabilities within 90 days
We will keep you informed of our progress
We will credit you in the advisory (unless you prefer to remain anonymous)

Note: security@shoofly.dev needs to be set up. Flag for Evan.

Safe harbor

We consider good-faith security research to be authorized conduct. If you act in good faith and in accordance with this policy, we will not pursue legal action against you. We ask that you:

Make a genuine effort to avoid privacy violations, data destruction, or service disruption
Only interact with accounts you own or with explicit permission
Report vulnerabilities promptly and do not exploit them beyond what is necessary to demonstrate the issue

Scope

In scope:

shoofly.dev (the website and backend API)
Shoofly Basic (GitHub: shoofly-dev/shoofly)
Shoofly Advanced (the installable product)

Out of scope:

Third-party services (Stripe, Resend, Railway)
Denial-of-service attacks
Social engineering or phishing
Physical security

CVE disclosure

For vulnerabilities that warrant a CVE, we will use GitHub Security Advisories to coordinate disclosure and publish advisories.

security.txt

The following content is also available at /.well-known/security.txt:

Contact: mailto:security@shoofly.dev
Expires: 2027-03-26T00:00:00.000Z
Preferred-Languages: en
Canonical: https://shoofly.dev/.well-known/security.txt
Policy: https://shoofly.dev/security

Contact

Security issues: security@shoofly.dev

General support: support@shoofly.dev