-
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: clarify release expectations (#225)
- Loading branch information
Showing
1 changed file
with
40 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,50 +1,53 @@ | ||
# Ory Security Policy | ||
|
||
## Overview | ||
This policy outlines Ory's security commitments and practices for users across | ||
different licensing and deployment models. | ||
|
||
This security policy outlines the security support commitments for different | ||
types of Ory users. | ||
To learn more about Ory's security service level agreements (SLAs) and | ||
processes, please [contact us](https://www.ory.sh/contact/). | ||
|
||
[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security | ||
SLAs and process. | ||
|
||
## Apache 2.0 License Users | ||
## Ory Network Users | ||
|
||
- **Security SLA:** No security Service Level Agreement (SLA) is provided. | ||
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases | ||
will contain all security fixes implemented up to that point. | ||
- **Version Support:** Security patches are only provided for the current | ||
release version. | ||
- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according | ||
to the following guidelines: | ||
- Critical: Typically addressed within 14 days. | ||
- High: Typically addressed within 30 days. | ||
- Medium: Typically addressed within 90 days. | ||
- Low: Typically addressed within 180 days. | ||
- Informational: Addressed as necessary. | ||
These timelines are targets and may vary based on specific circumstances. | ||
- **Release Schedule:** Updates are deployed to the Ory Network as | ||
vulnerabilities are resolved. | ||
- **Version Support:** The Ory Network always runs the latest version, ensuring | ||
up-to-date security fixes. | ||
|
||
## Ory Enterprise License Customers | ||
|
||
- **Security SLA:** The following timelines apply for security vulnerabilities | ||
based on their severity: | ||
- Critical: Resolved within 14 days. | ||
- High: Resolved within 30 days. | ||
- Medium: Resolved within 90 days. | ||
- Low: Resolved within 180 days. | ||
- Informational: Addressed as needed. | ||
- **Release Schedule:** Updates are provided as soon as vulnerabilities are | ||
resolved, adhering to the above SLA. | ||
- **Version Support:** Depending on the Ory Enterprise License agreement | ||
multiple versions can be supported. | ||
- **Security SLA:** Ory addresses vulnerabilities based on their severity: | ||
- Critical: Typically addressed within 14 days. | ||
- High: Typically addressed within 30 days. | ||
- Medium: Typically addressed within 90 days. | ||
- Low: Typically addressed within 180 days. | ||
- Informational: Addressed as necessary. | ||
These timelines are targets and may vary based on specific circumstances. | ||
- **Release Schedule:** Updates are made available as vulnerabilities are | ||
resolved. Ory works closely with enterprise customers to ensure timely updates | ||
that align with their operational needs. | ||
- **Version Support:** Ory may provide security support for multiple versions, | ||
depending on the terms of the enterprise agreement. | ||
|
||
## Ory Network Users | ||
## Apache 2.0 License Users | ||
|
||
- **Security SLA:** The following timelines apply for security vulnerabilities | ||
based on their severity: | ||
- Critical: Resolved within 14 days. | ||
- High: Resolved within 30 days. | ||
- Medium: Resolved within 90 days. | ||
- Low: Resolved within 180 days. | ||
- Informational: Addressed as needed. | ||
- **Release Schedule:** Updates are automatically deployed to Ory Network as | ||
soon as vulnerabilities are resolved, adhering to the above SLA. | ||
- **Version Support:** Ory Network always runs the most current version. | ||
- **Security SLA:** Ory does not provide a formal SLA for security issues under | ||
the Apache 2.0 License. | ||
- **Release Schedule:** Releases prioritize new functionality and include fixes | ||
for known security vulnerabilities at the time of release. While major | ||
releases typically occur one to two times per year, Ory does not guarantee a | ||
fixed release schedule. | ||
- **Version Support:** Security patches are only provided for the latest release | ||
version. | ||
|
||
## Reporting a Vulnerability | ||
|
||
Please head over to our | ||
[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more | ||
about reporting security vulnerabilities. | ||
For details on how to report security vulnerabilities, visit our | ||
[security policy documentation](https://www.ory.sh/docs/ecosystem/security). |