diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..1ce5ed2bf --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ +# Security Policy + +## Supported Versions + +We release patches for security vulnerabilities. +Which versions are eligible receiving such patches +depend on the CVSS v3.0 Rating: + +| CVSS v3.0 | Supported Versions | +| ---------- | ----------------------------------------- | +| 9.0-10.0 | Releases within the previous three months | +| 4.0-8.9 | Most recent release | + +## Reporting a Vulnerability + +Please report (suspected) security vulnerabilities to +**[security@ory.sh](mailto:security@ory.sh)**. You will receive +a response from us within 48 hours. If the issue is confirmed, +we will release a patch as soon as possible depending on complexity +but historically within a few days.