|
10 | 10 |
|
11 | 11 | <!-- END doctoc generated TOC please keep comment here to allow auto update --> |
12 | 12 |
|
13 | | -# Security Policy |
14 | | - |
15 | | -## Supported Versions |
16 | | - |
17 | | -We release patches for security vulnerabilities. Which versions are eligible for |
18 | | -receiving such patches depends on the CVSS v3.0 Rating: |
19 | | - |
20 | | -| CVSS v3.0 | Supported Versions | |
21 | | -| --------- | ----------------------------------------- | |
22 | | -| 9.0-10.0 | Releases within the previous three months | |
23 | | -| 4.0-8.9 | Most recent release | |
| 13 | +# Ory Security Policy |
| 14 | + |
| 15 | +## Overview |
| 16 | + |
| 17 | +This security policy outlines the security support commitments for different |
| 18 | +types of Ory users. |
| 19 | + |
| 20 | +## Apache 2.0 License Users |
| 21 | + |
| 22 | +- **Security SLA:** No security Service Level Agreement (SLA) is provided. |
| 23 | +- **Release Schedule:** Releases are planned every 3 to 6 months. These releases |
| 24 | + will contain all security fixes implemented up to that point. |
| 25 | +- **Version Support:** Security patches are only provided for the current |
| 26 | + release version. |
| 27 | + |
| 28 | +## Ory Enterprise License Customers |
| 29 | + |
| 30 | +- **Security SLA:** The following timelines apply for security vulnerabilities |
| 31 | + based on their severity: |
| 32 | + - Critical: Resolved within 14 days. |
| 33 | + - High: Resolved within 30 days. |
| 34 | + - Medium: Resolved within 90 days. |
| 35 | + - Low: Resolved within 180 days. |
| 36 | + - Informational: Addressed as needed. |
| 37 | +- **Release Schedule:** Updates are provided as soon as vulnerabilities are |
| 38 | + resolved, adhering to the above SLA. |
| 39 | +- **Version Support:** Depending on the Ory Enterprise License agreement |
| 40 | + multiple versions can be supported. |
| 41 | + |
| 42 | +## Ory Network Users |
| 43 | + |
| 44 | +- **Security SLA:** The following timelines apply for security vulnerabilities |
| 45 | + based on their severity: |
| 46 | + - Critical: Resolved within 14 days. |
| 47 | + - High: Resolved within 30 days. |
| 48 | + - Medium: Resolved within 90 days. |
| 49 | + - Low: Resolved within 180 days. |
| 50 | + - Informational: Addressed as needed. |
| 51 | +- **Release Schedule:** Updates are automatically deployed to Ory Network as |
| 52 | + soon as vulnerabilities are resolved, adhering to the above SLA. |
| 53 | +- **Version Support:** Ory Network always runs the most current version. |
| 54 | + |
| 55 | +[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security |
| 56 | +SLAs and process. |
24 | 57 |
|
25 | 58 | ## Reporting a Vulnerability |
26 | 59 |
|
27 | | -Please report (suspected) security vulnerabilities to |
28 | | -**[[email protected]](mailto:[email protected])**. You will receive a response from |
29 | | -us within 48 hours. If the issue is confirmed, we will release a patch as soon |
30 | | -as possible depending on complexity but historically within a few days. |
| 60 | +If you suspect a security vulnerability, please report it to |
| 61 | +**[[email protected]](mailto:[email protected])**. We will respond within 48 hours. |
| 62 | +If confirmed, we will work to release a patch as soon as possible, typically |
| 63 | +within a few days depending on the issue's complexity. |
0 commit comments