chore: update repository templates to ory/meta@1af2225

ory · Dec 4, 2024 · 8cbb5bd · 8cbb5bd
1 parent 9d3afa7
commit 8cbb5bd
Showing 1 changed file with 40 additions and 37 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -3,51 +3,54 @@
 
 # Ory Security Policy
 
-## Overview
+This policy outlines Ory's security commitments and practices for users across
+different licensing and deployment models.
 
-This security policy outlines the security support commitments for different
-types of Ory users.
+To learn more about Ory's security service level agreements (SLAs) and
+processes, please [contact us](https://www.ory.sh/contact/).
 
-[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
-SLAs and process.
-
-## Apache 2.0 License Users
+## Ory Network Users
 
-- **Security SLA:** No security Service Level Agreement (SLA) is provided.
-- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
-  will contain all security fixes implemented up to that point.
-- **Version Support:** Security patches are only provided for the current
-  release version.
+- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according
+  to the following guidelines:
+  - Critical: Typically addressed within 14 days.
+  - High: Typically addressed within 30 days.
+  - Medium: Typically addressed within 90 days.
+  - Low: Typically addressed within 180 days.
+  - Informational: Addressed as necessary.  
+    These timelines are targets and may vary based on specific circumstances.
+- **Release Schedule:** Updates are deployed to the Ory Network as
+  vulnerabilities are resolved.
+- **Version Support:** The Ory Network always runs the latest version, ensuring
+  up-to-date security fixes.
 
 ## Ory Enterprise License Customers
 
-- **Security SLA:** The following timelines apply for security vulnerabilities
-  based on their severity:
-  - Critical: Resolved within 14 days.
-  - High: Resolved within 30 days.
-  - Medium: Resolved within 90 days.
-  - Low: Resolved within 180 days.
-  - Informational: Addressed as needed.
-- **Release Schedule:** Updates are provided as soon as vulnerabilities are
-  resolved, adhering to the above SLA.
-- **Version Support:** Depending on the Ory Enterprise License agreement
-  multiple versions can be supported.
+- **Security SLA:** Ory addresses vulnerabilities based on their severity:
+  - Critical: Typically addressed within 14 days.
+  - High: Typically addressed within 30 days.
+  - Medium: Typically addressed within 90 days.
+  - Low: Typically addressed within 180 days.
+  - Informational: Addressed as necessary.  
+    These timelines are targets and may vary based on specific circumstances.
+- **Release Schedule:** Updates are made available as vulnerabilities are
+  resolved. Ory works closely with enterprise customers to ensure timely updates
+  that align with their operational needs.
+- **Version Support:** Ory may provide security support for multiple versions,
+  depending on the terms of the enterprise agreement.
 
-## Ory Network Users
+## Apache 2.0 License Users
 
-- **Security SLA:** The following timelines apply for security vulnerabilities
-  based on their severity:
-  - Critical: Resolved within 14 days.
-  - High: Resolved within 30 days.
-  - Medium: Resolved within 90 days.
-  - Low: Resolved within 180 days.
-  - Informational: Addressed as needed.
-- **Release Schedule:** Updates are automatically deployed to Ory Network as
-  soon as vulnerabilities are resolved, adhering to the above SLA.
-- **Version Support:** Ory Network always runs the most current version.
+- **Security SLA:** Ory does not provide a formal SLA for security issues under
+  the Apache 2.0 License.
+- **Release Schedule:** Releases prioritize new functionality and include fixes
+  for known security vulnerabilities at the time of release. While major
+  releases typically occur one to two times per year, Ory does not guarantee a
+  fixed release schedule.
+- **Version Support:** Security patches are only provided for the latest release
+  version.
 
 ## Reporting a Vulnerability
 
-Please head over to our
-[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more
-about reporting security vulnerabilities.
+For details on how to report security vulnerabilities, visit our
+[security policy documentation](https://www.ory.sh/docs/ecosystem/security).