<!-- AUTO-GENERATED, DO NOT EDIT! -->
<!-- Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/SECURITY.md -->

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

- [Security Policy](#security-policy)
  - [Supported Versions](#supported-versions)
  - [Reporting a Vulnerability](#reporting-a-vulnerability)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

# Ory Security Policy

## Overview

This security policy outlines the security support commitments for different
types of Ory users.

## Apache 2.0 License Users

- **Security SLA:** No security Service Level Agreement (SLA) is provided.
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
  will contain all security fixes implemented up to that point.
- **Version Support:** Security patches are only provided for the current
  release version.

## Ory Enterprise License Customers

- **Security SLA:** The following timelines apply for security vulnerabilities
  based on their severity:
  - Critical: Resolved within 14 days.
  - High: Resolved within 30 days.
  - Medium: Resolved within 90 days.
  - Low: Resolved within 180 days.
  - Informational: Addressed as needed.
- **Release Schedule:** Updates are provided as soon as vulnerabilities are
  resolved, adhering to the above SLA.
- **Version Support:** Depending on the Ory Enterprise License agreement
  multiple versions can be supported.

## Ory Network Users

- **Security SLA:** The following timelines apply for security vulnerabilities
  based on their severity:
  - Critical: Resolved within 14 days.
  - High: Resolved within 30 days.
  - Medium: Resolved within 90 days.
  - Low: Resolved within 180 days.
  - Informational: Addressed as needed.
- **Release Schedule:** Updates are automatically deployed to Ory Network as
  soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Ory Network always runs the most current version.

[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
SLAs and process.

## Reporting a Vulnerability

If you suspect a security vulnerability, please report it to
**[security@ory.sh](mailto:security@ory.sh)**. We will respond within 48 hours.
If confirmed, we will work to release a patch as soon as possible, typically
within a few days depending on the issue's complexity.