S ShipAudit

Methodology 0.1-validation

Clear scope beats a vague security score.

ShipAudit measures observable HTTP security hygiene within the stated scope. It is not a vulnerability scan, penetration test, compliance assessment, or security certification.

Current

Validation Phase (Now)

ShipAudit's own automated public scanner is not live. Founding Expert Reviews use public tools (for example MDN HTTP Observatory-style checks), a fixed checklist, and human judgment. We do not claim that ShipAudit auto-scan has already run.

Report Types

sample
sample_report — example data only.
active
expert_review — human written delivery (current paid SKU).
planned
public_baseline — future server-side passive check (deferred).
planned
verified_launch_check — after ownership proof (deferred).
reserved
local_diagnostic — reserved; not a verified report.

Future Public Baseline (Planned)

When Gate A/B conditions in the product spec are met, automated checks may cover HTTPS behavior, security response headers, cookie attributes, unsafe page resources and high-confidence public secret patterns — without requesting common sensitive paths on free scans.

Scores (When Automation Ships)

Scores will be configuration hygiene only. Required subtitle: Configuration hygiene score — not proof that the application is secure.

What ShipAudit Cannot Prove

It cannot prove that an application is secure, compliant, free from business-logic flaws or protected from future vulnerabilities. Authenticated flows, source code and infrastructure require separately authorized scope.

Contact

Security and customer email: security@laws3.net