From b9b9f879c4487ddb343845ba6b76173e346671cb Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 27 Aug 2024 10:59:25 +0200 Subject: [PATCH] chore: update security policy --- SECURITY.md | 53 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7a05c1cfc6..c4bf7faadc 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,30 +1,43 @@ - - +# Ory Security Policy - - +## Overview -- [Security Policy](#security-policy) - - [Supported Versions](#supported-versions) - - [Reporting a Vulnerability](#reporting-a-vulnerability) +This security policy outlines the security support commitments for different +types of Ory users. - +## Apache 2.0 License Users -# Security Policy +- **Security SLA:** No security Service Level Agreement (SLA) is provided. +- **Release Schedule:** Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point. +- **Version Support:** Security patches are only provided for the current release version. -## Supported Versions +## Ory Enterprise License Customers -We release patches for security vulnerabilities. Which versions are eligible for -receiving such patches depends on the CVSS v3.0 Rating: +- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity: + - Critical: Resolved within 14 days. + - High: Resolved within 30 days. + - Medium: Resolved within 90 days. + - Low: Resolved within 180 days. + - Informational: Addressed as needed. +- **Release Schedule:** Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA. +- **Version Support:** Depending on the Ory Enterprise License agreement multiple versions can be supported. -| CVSS v3.0 | Supported Versions | -| --------- | ----------------------------------------- | -| 9.0-10.0 | Releases within the previous three months | -| 4.0-8.9 | Most recent release | +## Ory Network Users + +- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity: + - Critical: Resolved within 14 days. + - High: Resolved within 30 days. + - Medium: Resolved within 90 days. + - Low: Resolved within 180 days. + - Informational: Addressed as needed. +- **Release Schedule:** Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA. +- **Version Support:** Ory Network always runs the most current version. + +[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security SLAs and process. ## Reporting a Vulnerability -Please report (suspected) security vulnerabilities to -**[security@ory.sh](mailto:security@ory.sh)**. You will receive a response from -us within 48 hours. If the issue is confirmed, we will release a patch as soon -as possible depending on complexity but historically within a few days. +If you suspect a security vulnerability, please report it to +**[security@ory.sh](mailto:security@ory.sh)**. We will respond within 48 hours. +If confirmed, we will work to release a patch as soon as possible, typically +within a few days depending on the issue's complexity.