-
-
Notifications
You must be signed in to change notification settings - Fork 380
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
46 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,20 +3,56 @@ id: security | |
| title: Security policy | ||
| --- | ||
|
|
||
| :::info Private Bug Bounty Program | ||
| This security policy outlines the security support commitments for different types of Ory users. | ||
|
|
||
| [Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security SLAs and process. | ||
|
|
||
| ### Apache 2.0 License users | ||
|
|
||
| - **Security SLA:** No security Service Level Agreement (SLA) is provided. | ||
| - **Release Schedule:** Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to | ||
| that point. | ||
| - **Version Support:** Security patches are only provided for the current release version. | ||
|
|
||
| ### Ory Enterprise License customers | ||
|
|
||
| - **Security SLA:** The following timelines apply for security vulnerabilities based on their severity: | ||
| - Critical: Resolved within 14 days. | ||
| - High: Resolved within 30 days. | ||
| - Medium: Resolved within 90 days. | ||
| - Low: Resolved within 180 days. | ||
| - Informational: Addressed as needed. | ||
| - **Release Schedule:** Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA. | ||
| - **Version Support:** Depending on the Ory Enterprise License agreement multiple versions can be supported. | ||
|
|
||
| ### Ory Network users | ||
|
|
||
| - **Security SLA:** The following timelines apply for security vulnerabilities based on their severity: | ||
| - Critical: Resolved within 14 days. | ||
| - High: Resolved within 30 days. | ||
| - Medium: Resolved within 90 days. | ||
| - Low: Resolved within 180 days. | ||
| - Informational: Addressed as needed. | ||
| - **Release Schedule:** Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the | ||
| above SLA. | ||
| - **Version Support:** Ory Network always runs the most current version. | ||
|
|
||
| ### Reporting a vulnerability | ||
|
|
||
| Please read the following section to learn more about reporting security vulnerabilities at the Ory Bug Bounty Program. | ||
|
|
||
| ## Ory bug bounty program | ||
|
|
||
| Ory is working with Hackerone to provide a private bug bounty program for all Ory products. If you are interested in joining the | ||
| program, please [create an account at Hackerone](https://hackerone.com/sign_up) and [request access](mailto:[email protected]). The | ||
| following is the policy for the private bug bounty program. | ||
|
|
||
| ::: | ||
|
|
||
| Being a security-focused company, Ory appreciates, encourages, and rewards feedback from the security community. Ory is open | ||
| source at heart, so feel free to inspect our [source code](https://github.com/ory). Ory commits to following HackerOne's | ||
| [vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) and we ask you to do the same. Thank you | ||
| for helping keep Ory and our users safe! | ||
|
|
||
| ## Research guidelines | ||
| ### Research guidelines | ||
|
|
||
| While security-testing Ory systems, please make a good-faith effort to avoid privacy violations, destruction of data, and | ||
| interruption or degradation of our service. Interact only with accounts you own or with the explicit permission of the account | ||
|
|
@@ -28,7 +64,7 @@ Prohibited activities: | |
| - security scanning with more than 5 QPS against Ory domains | ||
| - any activity that leads to disruption of our service longer than 5 minutes | ||
|
|
||
| ## What can you report | ||
| ### What can you report | ||
|
|
||
| Please report any potential security vulnerability that potentially leads to sensible exploits. Please report vulnerabilities in | ||
| Ory's upstream dependencies to the respective projects and only reach out to us if the report to upstream was unsuccessful. | ||
|
|
@@ -54,14 +90,14 @@ are attacks | |
| Please use Ory's customer support channels if you need help tuning Ory components for security or need help applying | ||
| security-related updates. | ||
|
|
||
| ## How to report | ||
| ### How to report | ||
|
|
||
| Submit one vulnerability per report unless you need to chain vulnerabilities to achieve impact. | ||
|
|
||
| Please provide a detailed vulnerability report with step-by-step instructions to reproduce the issue. Only vulnerabilities that we | ||
| can reproduce are eligible for a reward. | ||
|
|
||
| ## Review | ||
| ### Review | ||
|
|
||
| Ory commits to these response timelines: | ||
|
|
||
|
|
@@ -71,7 +107,7 @@ Ory commits to these response timelines: | |
|
|
||
| We'll stay in close contact with you throughout the process. | ||
|
|
||
| ## Rewards | ||
| ### Rewards | ||
|
|
||
| While all reward decision are up to our discretion, we generally award these monetary bounties out of our total yearly bounty | ||
| budget for security vulnerabilities that we can reproduce: | ||
|
|
@@ -87,11 +123,11 @@ When receiving multiple reports about the same issue, we award the first report | |
| vulnerabilities caused by the same underlying issue result in only one bounty. We award public Zero-day vulnerabilities that have | ||
| had an official patch for less than one month on a case-by-case basis | ||
|
|
||
| ## Publication | ||
| ### Publication | ||
|
|
||
| Please do not discuss any vulnerabilities, even resolved ones, outside this program without written consent from Ory. | ||
|
|
||
| ## Safe harbor | ||
| ### Safe harbor | ||
|
|
||
| Any activities conducted in a manner consistent with this policy will be considered authorized conduct and not result in legal | ||
| action from Ory against you. If you face legal action in connection with activities conducted under this policy, Ory will take | ||
|
|
||