Skip to content

Commit

Permalink
chore: update security policy
Browse files Browse the repository at this point in the history
  • Loading branch information
aeneasr committed Aug 27, 2024
1 parent 368c28a commit b9b9f87
Showing 1 changed file with 33 additions and 20 deletions.
53 changes: 33 additions & 20 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,30 +1,43 @@
<!-- AUTO-GENERATED, DO NOT EDIT! -->
<!-- Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/SECURITY.md -->
# Ory Security Policy

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
## Overview

- [Security Policy](#security-policy)
- [Supported Versions](#supported-versions)
- [Reporting a Vulnerability](#reporting-a-vulnerability)
This security policy outlines the security support commitments for different
types of Ory users.

<!-- END doctoc generated TOC please keep comment here to allow auto update -->
## Apache 2.0 License Users

# Security Policy
- **Security SLA:** No security Service Level Agreement (SLA) is provided.
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point.
- **Version Support:** Security patches are only provided for the current release version.

## Supported Versions
## Ory Enterprise License Customers

We release patches for security vulnerabilities. Which versions are eligible for
receiving such patches depends on the CVSS v3.0 Rating:
- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Depending on the Ory Enterprise License agreement multiple versions can be supported.

| CVSS v3.0 | Supported Versions |
| --------- | ----------------------------------------- |
| 9.0-10.0 | Releases within the previous three months |
| 4.0-8.9 | Most recent release |
## Ory Network Users

- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Ory Network always runs the most current version.

[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security SLAs and process.

## Reporting a Vulnerability

Please report (suspected) security vulnerabilities to
**[[email protected]](mailto:[email protected])**. You will receive a response from
us within 48 hours. If the issue is confirmed, we will release a patch as soon
as possible depending on complexity but historically within a few days.
If you suspect a security vulnerability, please report it to
**[[email protected]](mailto:[email protected])**. We will respond within 48 hours.
If confirmed, we will work to release a patch as soon as possible, typically
within a few days depending on the issue's complexity.

0 comments on commit b9b9f87

Please sign in to comment.