This policy outlines Ory's security commitments and practices for users across different licensing and deployment models.
To learn more about Ory's security service level agreements (SLAs) and processes, please contact us.
- Security SLA: Ory addresses vulnerabilities in the Ory Network according
to the following guidelines:
- Critical: Typically addressed within 14 days.
- High: Typically addressed within 30 days.
- Medium: Typically addressed within 90 days.
- Low: Typically addressed within 180 days.
- Informational: Addressed as necessary.
These timelines are targets and may vary based on specific circumstances.
- Release Schedule: Updates are deployed to the Ory Network as vulnerabilities are resolved.
- Version Support: The Ory Network always runs the latest version, ensuring up-to-date security fixes.
- Security SLA: Ory addresses vulnerabilities based on their severity:
- Critical: Typically addressed within 14 days.
- High: Typically addressed within 30 days.
- Medium: Typically addressed within 90 days.
- Low: Typically addressed within 180 days.
- Informational: Addressed as necessary.
These timelines are targets and may vary based on specific circumstances.
- Release Schedule: Updates are made available as vulnerabilities are resolved. Ory works closely with enterprise customers to ensure timely updates that align with their operational needs.
- Version Support: Ory may provide security support for multiple versions, depending on the terms of the enterprise agreement.
- Security SLA: Ory does not provide a formal SLA for security issues under the Apache 2.0 License.
- Release Schedule: Releases prioritize new functionality and include fixes for known security vulnerabilities at the time of release. While major releases typically occur one to two times per year, Ory does not guarantee a fixed release schedule.
- Version Support: Security patches are only provided for the latest release version.
For details on how to report security vulnerabilities, visit our security policy documentation.