2022-11-01 20:15:25 +00:00
|
|
|
<!-- AUTO-GENERATED, DO NOT EDIT! -->
|
|
|
|
|
<!-- Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/SECURITY.md -->
|
|
|
|
|
|
2024-08-27 09:36:17 +00:00
|
|
|
# Ory Security Policy
|
|
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
This policy outlines Ory's security commitments and practices for users across
|
|
|
|
|
different licensing and deployment models.
|
2024-08-27 09:36:17 +00:00
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
To learn more about Ory's security service level agreements (SLAs) and
|
|
|
|
|
processes, please [contact us](https://www.ory.sh/contact/).
|
2024-08-27 09:36:17 +00:00
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
## Ory Network Users
|
2024-08-27 09:36:17 +00:00
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according
|
|
|
|
|
to the following guidelines:
|
|
|
|
|
- Critical: Typically addressed within 14 days.
|
|
|
|
|
- High: Typically addressed within 30 days.
|
|
|
|
|
- Medium: Typically addressed within 90 days.
|
|
|
|
|
- Low: Typically addressed within 180 days.
|
|
|
|
|
- Informational: Addressed as necessary.
|
|
|
|
|
These timelines are targets and may vary based on specific circumstances.
|
|
|
|
|
- **Release Schedule:** Updates are deployed to the Ory Network as
|
|
|
|
|
vulnerabilities are resolved.
|
|
|
|
|
- **Version Support:** The Ory Network always runs the latest version, ensuring
|
|
|
|
|
up-to-date security fixes.
|
2024-08-27 09:36:17 +00:00
|
|
|
|
|
|
|
|
## Ory Enterprise License Customers
|
|
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
- **Security SLA:** Ory addresses vulnerabilities based on their severity:
|
|
|
|
|
- Critical: Typically addressed within 14 days.
|
|
|
|
|
- High: Typically addressed within 30 days.
|
|
|
|
|
- Medium: Typically addressed within 90 days.
|
|
|
|
|
- Low: Typically addressed within 180 days.
|
|
|
|
|
- Informational: Addressed as necessary.
|
|
|
|
|
These timelines are targets and may vary based on specific circumstances.
|
|
|
|
|
- **Release Schedule:** Updates are made available as vulnerabilities are
|
|
|
|
|
resolved. Ory works closely with enterprise customers to ensure timely updates
|
|
|
|
|
that align with their operational needs.
|
|
|
|
|
- **Version Support:** Ory may provide security support for multiple versions,
|
|
|
|
|
depending on the terms of the enterprise agreement.
|
2024-08-27 09:36:17 +00:00
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
## Apache 2.0 License Users
|
2024-08-27 09:36:17 +00:00
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
- **Security SLA:** Ory does not provide a formal SLA for security issues under
|
|
|
|
|
the Apache 2.0 License.
|
|
|
|
|
- **Release Schedule:** Releases prioritize new functionality and include fixes
|
|
|
|
|
for known security vulnerabilities at the time of release. While major
|
|
|
|
|
releases typically occur one to two times per year, Ory does not guarantee a
|
|
|
|
|
fixed release schedule.
|
|
|
|
|
- **Version Support:** Security patches are only provided for the latest release
|
|
|
|
|
version.
|
2024-08-27 09:36:17 +00:00
|
|
|
|
2021-06-21 11:51:14 +02:00
|
|
|
## Reporting a Vulnerability
|
|
|
|
|
|
2024-12-04 15:38:54 +00:00
|
|
|
For details on how to report security vulnerabilities, visit our
|
|
|
|
|
[security policy documentation](https://www.ory.sh/docs/ecosystem/security).
|
