chore: update repository templates to 1af2225678

2024-12-04 15:38:54 +00:00 · 2024-12-04 15:38:54 +00:00 · 9bc3112ca2
commit 9bc3112ca2
parent 34c92d26ce
5 changed files with 48 additions and 45 deletions
--- a/.github/workflows/closed_references.yml
+++ b/.github/workflows/closed_references.yml
@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Find closed references
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2-beta
        with:
          node-version: "14"
--- a/.github/workflows/conventional_commits.yml
+++ b/.github/workflows/conventional_commits.yml
@ -24,7 +24,7 @@ jobs:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - id: config
        uses: ory/ci/conventional_commit_config@master
        with:
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
      - name: Synchronize Issue Labels
        uses: ory/label-sync-action@v0
        with:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -12,7 +12,7 @@ jobs:
    if: github.repository_owner == 'ory'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v4
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: |
--- a/SECURITY.md
+++ b/SECURITY.md
@ -3,51 +3,54 @@

 # Ory Security Policy

-## Overview
+This policy outlines Ory's security commitments and practices for users across
+different licensing and deployment models.

-This security policy outlines the security support commitments for different
-types of Ory users.
-
-[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
-SLAs and process.
-
-## Apache 2.0 License Users
-
- **Security SLA:** No security Service Level Agreement (SLA) is provided.
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
-  will contain all security fixes implemented up to that point.
- **Version Support:** Security patches are only provided for the current
-  release version.
-
-## Ory Enterprise License Customers
-
- **Security SLA:** The following timelines apply for security vulnerabilities
-  based on their severity:
-  - Critical: Resolved within 14 days.
-  - High: Resolved within 30 days.
-  - Medium: Resolved within 90 days.
-  - Low: Resolved within 180 days.
-  - Informational: Addressed as needed.
- **Release Schedule:** Updates are provided as soon as vulnerabilities are
-  resolved, adhering to the above SLA.
- **Version Support:** Depending on the Ory Enterprise License agreement
-  multiple versions can be supported.
+To learn more about Ory's security service level agreements (SLAs) and
+processes, please [contact us](https://www.ory.sh/contact/).

 ## Ory Network Users

- **Security SLA:** The following timelines apply for security vulnerabilities
-  based on their severity:
-  - Critical: Resolved within 14 days.
-  - High: Resolved within 30 days.
-  - Medium: Resolved within 90 days.
-  - Low: Resolved within 180 days.
-  - Informational: Addressed as needed.
- **Release Schedule:** Updates are automatically deployed to Ory Network as
-  soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Ory Network always runs the most current version.
+- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according
+  to the following guidelines:
+  - Critical: Typically addressed within 14 days.
+  - High: Typically addressed within 30 days.
+  - Medium: Typically addressed within 90 days.
+  - Low: Typically addressed within 180 days.
+  - Informational: Addressed as necessary.  
+    These timelines are targets and may vary based on specific circumstances.
+- **Release Schedule:** Updates are deployed to the Ory Network as
+  vulnerabilities are resolved.
+- **Version Support:** The Ory Network always runs the latest version, ensuring
+  up-to-date security fixes.
+
+## Ory Enterprise License Customers
+
+- **Security SLA:** Ory addresses vulnerabilities based on their severity:
+  - Critical: Typically addressed within 14 days.
+  - High: Typically addressed within 30 days.
+  - Medium: Typically addressed within 90 days.
+  - Low: Typically addressed within 180 days.
+  - Informational: Addressed as necessary.  
+    These timelines are targets and may vary based on specific circumstances.
+- **Release Schedule:** Updates are made available as vulnerabilities are
+  resolved. Ory works closely with enterprise customers to ensure timely updates
+  that align with their operational needs.
+- **Version Support:** Ory may provide security support for multiple versions,
+  depending on the terms of the enterprise agreement.
+
+## Apache 2.0 License Users
+
+- **Security SLA:** Ory does not provide a formal SLA for security issues under
+  the Apache 2.0 License.
+- **Release Schedule:** Releases prioritize new functionality and include fixes
+  for known security vulnerabilities at the time of release. While major
+  releases typically occur one to two times per year, Ory does not guarantee a
+  fixed release schedule.
+- **Version Support:** Security patches are only provided for the latest release
+  version.

 ## Reporting a Vulnerability

-Please head over to our
-[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more
-about reporting security vulnerabilities.
+For details on how to report security vulnerabilities, visit our
+[security policy documentation](https://www.ory.sh/docs/ecosystem/security).