Security

OrbitalReg is built around the assumption that a self-hosted artifact registry sits in the middle of every customer's software supply chain. That makes our security posture part of their security posture — and it makes a clearly published vulnerability-handling process a procurement-blocker, not a nice-to-have.

This section is the operator-facing reference for how OrbitalReg handles security: how we accept reports, what we promise on triage, how we ship fixes, and how we credit reporters.

Pages

• Vulnerability disclosure policy — the full policy: what's in scope, response targets, the PGP key, the Hall of Fame, and worked examples of a coordinated disclosure timeline.

What lives elsewhere

• SECURITY.md in the repository root is the GitHub-convention short form; GitHub surfaces it on the Security tab and links it from the Report a vulnerability button.
• Operations runbooks cover the operator-side response when an advisory drops (upgrade path, image verification with cosign, air-gapped patch ingestion).
• License tiers explains why pre-disclosure emails go to commercial-tier customers first and why the public advisory window covers everyone.

Why publish this at all?

Two reasons:

1. Procurement reviews uniformly ask for a documented vulnerability-handling process and a security-contact address. Pointing to SECURITY.md + this page closes the line item without round-tripping with sales.
2. Coordinated disclosure works better with strangers. Researchers who can find the policy in 15 seconds spend their time on the actual finding instead of guessing where to send it.