Security Policy
NRSIP Registry security controls are designed for enterprise workloads and high-trust identity operations across runtime governance, billing, and lifecycle attestation.
Authentication and authorization
Access to `/app` and `/admin` is gated by SSO-backed sessions and role-based controls. Admin privileges are derived from controlled allowlists and domain trust policies.
Secrets and key management
Secrets are stored in Google Secret Manager, injected at runtime, and never embedded in static artifacts. Key rotation and webhook credential rollovers are supported operationally.
Monitoring and response
Uptime checks, error-rate alerting, and latency thresholds are configured in Cloud Monitoring. Incident triage includes audit correlation and customer-impact assessment.
Vulnerability disclosure
Report vulnerabilities to security@nrsip.org with reproduction steps and impact details. Critical reports receive priority handling and coordinated disclosure timelines.