# Security Policy

## Our Process

Fyra Labs is committed to ensuring user security and privacy.
As such, we try to ensure that our infrastructure and process are secure, which you may read about in our [FAQ](https://github.com/terrapkg/packages/wiki/FAQ#technical-details).
If you have any security questions, please reach out to us on [Discord](https://discord.gg/5fdPuxTg5Q) or through [email](mailto:security@fyralabs.com).
We will try to respond promptly, although you might get a response quicker on Discord.

As a part of Fyra Labs's transparency measures, we will publicize details of any known breaches. This information will include, but will not be limited to:
* Affected users, infrastructure, and data.
* The severity of the attack.
* An in-depth explanation of how the breach occurred, including relevant security vulnerabilities.
* How Fyra Labs will better protect user data in the future, ensuring our commitment to security and privacy.

We will publish these updates on our [Twitter](https://twitter.com/TeamFyraLabs) and [Discord](https://discord.gg/5fdPuxTg5Q).

## Reporting a Vulnerability

Terra is a rolling-release package repository. As such, we push updates as soon as the upstream project releases them.
If you find a vulnerability in an upstream project, please report it to that project directly. We **will** decline reports that are solely due to an upstream bug. 

However, if the upstream project is unmaintained or does not resolve the vulnerability after being disclosed, you may file a security advisory.
Depending on the package, we might remove it from the Terra repositories or patch it to resolve the vulnerability.

In the case of a vulnerability in our infrastructure or packaging, you may report it using [GitHub's security advisory system](https://github.com/terrapkg/packages/security/advisories).
We will try to respond to reports ASAP, at most in 24 hours. Please refrain from publicizing the vulnerability until we have published the security advisory. Not doing so **will** put end-users at risk.