Most marketplaces hide their incidents. We publish ours — including the ones that look bad — because the alternative is the kind of silent drift that destroys trust over years. When something goes wrong here, you find out about it on this page.
Security issues found in flareo.dev itself or our API. Reported through /security, fixed, then disclosed here.
A CVE drops affecting a module that's already in the catalog. We rebuild, scan, post the timeline here, and (if needed) recommend remediation for active deployments.
Modules removed from the catalog — abandoned upstream past the threshold, malicious activity, takedown request, etc. With reason category.
Compromise of an upstream we depend on, a Sigstore outage that affected signing, a registry incident at GHCR. The dependency chain is ours; its incidents are too.
Major service disruptions — pipeline outages > 1 hour, sandbox provisioner failures, billing system outages. Smaller blips go to /status, not here.
For every P0/P1 incident, a written postmortem follows within 14 days: what happened, what we did, what we'll change, what we won't change.
At launch this page reads as "nothing happened." That's accurate; it won't stay that way forever. When the first incident lands, it appears here with timeline, scope, mitigation, and reporter credit — within hours of resolution for P0/P1, within 14 days with a full postmortem for everything that warrants one.
We've kept this page visible from launch (rather than waiting until we have something to put on it) because the commitment to publish is the part you can verify before any incident exists.
See something we should publish? Report it → We treat unreported incidents we discover ourselves the same as externally reported ones — they all land here.