# Ory Security Policy ## Overview This security policy outlines the security support commitments for different types of Ory users. [Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security SLAs and process. ## Apache 2.0 License Users - **Security SLA:** No security Service Level Agreement (SLA) is provided. - **Release Schedule:** Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point. - **Version Support:** Security patches are only provided for the current release version. ## Ory Enterprise License Customers - **Security SLA:** The following timelines apply for security vulnerabilities based on their severity: - Critical: Resolved within 14 days. - High: Resolved within 30 days. - Medium: Resolved within 90 days. - Low: Resolved within 180 days. - Informational: Addressed as needed. - **Release Schedule:** Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA. - **Version Support:** Depending on the Ory Enterprise License agreement multiple versions can be supported. ## Ory Network Users - **Security SLA:** The following timelines apply for security vulnerabilities based on their severity: - Critical: Resolved within 14 days. - High: Resolved within 30 days. - Medium: Resolved within 90 days. - Low: Resolved within 180 days. - Informational: Addressed as needed. - **Release Schedule:** Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA. - **Version Support:** Ory Network always runs the most current version. ## Reporting a Vulnerability Please head over to our [security policy](https://www.ory.sh/docs/ecosystem/security) to learn more about reporting security vulnerabilities.