|
3 | 3 |
|
4 | 4 | # Ory Security Policy |
5 | 5 |
|
6 | | -## Overview |
| 6 | +This policy outlines Ory's security commitments and practices for users across |
| 7 | +different licensing and deployment models. |
7 | 8 |
|
8 | | -This security policy outlines the security support commitments for different |
9 | | -types of Ory users. |
| 9 | +To learn more about Ory's security service level agreements (SLAs) and |
| 10 | +processes, please [contact us](https://www.ory.sh/contact/). |
10 | 11 |
|
11 | | -[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security |
12 | | -SLAs and process. |
13 | | - |
14 | | -## Apache 2.0 License Users |
| 12 | +## Ory Network Users |
15 | 13 |
|
16 | | -- **Security SLA:** No security Service Level Agreement (SLA) is provided. |
17 | | -- **Release Schedule:** Releases are planned every 3 to 6 months. These releases |
18 | | - will contain all security fixes implemented up to that point. |
19 | | -- **Version Support:** Security patches are only provided for the current |
20 | | - release version. |
| 14 | +- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according |
| 15 | + to the following guidelines: |
| 16 | + - Critical: Typically addressed within 14 days. |
| 17 | + - High: Typically addressed within 30 days. |
| 18 | + - Medium: Typically addressed within 90 days. |
| 19 | + - Low: Typically addressed within 180 days. |
| 20 | + - Informational: Addressed as necessary. |
| 21 | + These timelines are targets and may vary based on specific circumstances. |
| 22 | +- **Release Schedule:** Updates are deployed to the Ory Network as |
| 23 | + vulnerabilities are resolved. |
| 24 | +- **Version Support:** The Ory Network always runs the latest version, ensuring |
| 25 | + up-to-date security fixes. |
21 | 26 |
|
22 | 27 | ## Ory Enterprise License Customers |
23 | 28 |
|
24 | | -- **Security SLA:** The following timelines apply for security vulnerabilities |
25 | | - based on their severity: |
26 | | - - Critical: Resolved within 14 days. |
27 | | - - High: Resolved within 30 days. |
28 | | - - Medium: Resolved within 90 days. |
29 | | - - Low: Resolved within 180 days. |
30 | | - - Informational: Addressed as needed. |
31 | | -- **Release Schedule:** Updates are provided as soon as vulnerabilities are |
32 | | - resolved, adhering to the above SLA. |
33 | | -- **Version Support:** Depending on the Ory Enterprise License agreement |
34 | | - multiple versions can be supported. |
| 29 | +- **Security SLA:** Ory addresses vulnerabilities based on their severity: |
| 30 | + - Critical: Typically addressed within 14 days. |
| 31 | + - High: Typically addressed within 30 days. |
| 32 | + - Medium: Typically addressed within 90 days. |
| 33 | + - Low: Typically addressed within 180 days. |
| 34 | + - Informational: Addressed as necessary. |
| 35 | + These timelines are targets and may vary based on specific circumstances. |
| 36 | +- **Release Schedule:** Updates are made available as vulnerabilities are |
| 37 | + resolved. Ory works closely with enterprise customers to ensure timely updates |
| 38 | + that align with their operational needs. |
| 39 | +- **Version Support:** Ory may provide security support for multiple versions, |
| 40 | + depending on the terms of the enterprise agreement. |
35 | 41 |
|
36 | | -## Ory Network Users |
| 42 | +## Apache 2.0 License Users |
37 | 43 |
|
38 | | -- **Security SLA:** The following timelines apply for security vulnerabilities |
39 | | - based on their severity: |
40 | | - - Critical: Resolved within 14 days. |
41 | | - - High: Resolved within 30 days. |
42 | | - - Medium: Resolved within 90 days. |
43 | | - - Low: Resolved within 180 days. |
44 | | - - Informational: Addressed as needed. |
45 | | -- **Release Schedule:** Updates are automatically deployed to Ory Network as |
46 | | - soon as vulnerabilities are resolved, adhering to the above SLA. |
47 | | -- **Version Support:** Ory Network always runs the most current version. |
| 44 | +- **Security SLA:** Ory does not provide a formal SLA for security issues under |
| 45 | + the Apache 2.0 License. |
| 46 | +- **Release Schedule:** Releases prioritize new functionality and include fixes |
| 47 | + for known security vulnerabilities at the time of release. While major |
| 48 | + releases typically occur one to two times per year, Ory does not guarantee a |
| 49 | + fixed release schedule. |
| 50 | +- **Version Support:** Security patches are only provided for the latest release |
| 51 | + version. |
48 | 52 |
|
49 | 53 | ## Reporting a Vulnerability |
50 | 54 |
|
51 | | -Please head over to our |
52 | | -[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more |
53 | | -about reporting security vulnerabilities. |
| 55 | +For details on how to report security vulnerabilities, visit our |
| 56 | +[security policy documentation](https://www.ory.sh/docs/ecosystem/security). |
0 commit comments