We take security incidents very seriously. If you've found an exploit or any potential breach please let us know. Send an email to firstname.lastname@example.org with as much information as possible. All emails will be answered within 24 hours, even if the fix will take longer to be tested and deployed.
We ask that reports not be disclosed until a fix has been released. As soon as we acknowledge the report, you'll have direct contact with our security team, where additional information can be exchanged. If you have found out an exploit and already have a fix for it, we ask that you not submit a pull request directly in Github, where our source code is hosted. This would effectively disclose the issue to the public (and any potentially malicious attackers). Instead, we ask that you please send the patch to the email address above. Once a fix is released, we'll acknowlege it publicly and give credit to the original reporter.
It is of utmost importance to Amara that your data is safe. We have a distributed data storage platform will keep your data safe in the face of hardware failure and take daily data snapshots just in case. We rely industry standard practices and security conscious vendors to keep our system safe. We keep all base software up to date with the latest security patches, and all servers are monitored against intrusion.