This policy applies to repositories in the Registry Stack organization that do not define their own SECURITY.md.

Report suspected vulnerabilities privately through GitHub Security Advisories on the affected repository:

https://github.com/registrystack/<repository>/security/advisories/new

If GitHub advisories are unavailable, contact the maintainers through an existing private project channel before opening a public issue or pull request.

Do not open public issues or pull requests for suspected vulnerabilities.

Include the affected repository, commit, configuration shape, reproduction steps, and impact. Do not include live credentials, bearer tokens, API keys, private keys, or raw registry records in the report.

We aim to acknowledge private reports within 5 business days.

Individual repositories may publish a more specific security policy and scope. Where a repository defines its own SECURITY.md, that policy takes precedence for that repository.