chore: update repository templates to 939b80fbfd
This commit is contained in:
parent
aed5bd9a62
commit
05d49743b0
57
SECURITY.md
57
SECURITY.md
@ -10,21 +10,54 @@
|
||||
|
||||
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
||||
|
||||
# Security Policy
|
||||
# Ory Security Policy
|
||||
|
||||
## Supported Versions
|
||||
## Overview
|
||||
|
||||
We release patches for security vulnerabilities. Which versions are eligible for
|
||||
receiving such patches depends on the CVSS v3.0 Rating:
|
||||
This security policy outlines the security support commitments for different
|
||||
types of Ory users.
|
||||
|
||||
| CVSS v3.0 | Supported Versions |
|
||||
| --------- | ----------------------------------------- |
|
||||
| 9.0-10.0 | Releases within the previous three months |
|
||||
| 4.0-8.9 | Most recent release |
|
||||
## Apache 2.0 License Users
|
||||
|
||||
- **Security SLA:** No security Service Level Agreement (SLA) is provided.
|
||||
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
|
||||
will contain all security fixes implemented up to that point.
|
||||
- **Version Support:** Security patches are only provided for the current
|
||||
release version.
|
||||
|
||||
## Ory Enterprise License Customers
|
||||
|
||||
- **Security SLA:** The following timelines apply for security vulnerabilities
|
||||
based on their severity:
|
||||
- Critical: Resolved within 14 days.
|
||||
- High: Resolved within 30 days.
|
||||
- Medium: Resolved within 90 days.
|
||||
- Low: Resolved within 180 days.
|
||||
- Informational: Addressed as needed.
|
||||
- **Release Schedule:** Updates are provided as soon as vulnerabilities are
|
||||
resolved, adhering to the above SLA.
|
||||
- **Version Support:** Depending on the Ory Enterprise License agreement
|
||||
multiple versions can be supported.
|
||||
|
||||
## Ory Network Users
|
||||
|
||||
- **Security SLA:** The following timelines apply for security vulnerabilities
|
||||
based on their severity:
|
||||
- Critical: Resolved within 14 days.
|
||||
- High: Resolved within 30 days.
|
||||
- Medium: Resolved within 90 days.
|
||||
- Low: Resolved within 180 days.
|
||||
- Informational: Addressed as needed.
|
||||
- **Release Schedule:** Updates are automatically deployed to Ory Network as
|
||||
soon as vulnerabilities are resolved, adhering to the above SLA.
|
||||
- **Version Support:** Ory Network always runs the most current version.
|
||||
|
||||
[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
|
||||
SLAs and process.
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please report (suspected) security vulnerabilities to
|
||||
**[security@ory.sh](mailto:security@ory.sh)**. You will receive a response from
|
||||
us within 48 hours. If the issue is confirmed, we will release a patch as soon
|
||||
as possible depending on complexity but historically within a few days.
|
||||
If you suspect a security vulnerability, please report it to
|
||||
**[security@ory.sh](mailto:security@ory.sh)**. We will respond within 48 hours.
|
||||
If confirmed, we will work to release a patch as soon as possible, typically
|
||||
within a few days depending on the issue's complexity.
|
||||
|
Loading…
x
Reference in New Issue
Block a user