Skip to content

Security: ory/oathkeeper

Security

SECURITY.md

Ory Security Policy

Overview

This security policy outlines the security support commitments for different types of Ory users.

Get in touch to learn more about Ory's security SLAs and process.

Apache 2.0 License Users

  • Security SLA: No security Service Level Agreement (SLA) is provided.
  • Release Schedule: Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point.
  • Version Support: Security patches are only provided for the current release version.

Ory Enterprise License Customers

  • Security SLA: The following timelines apply for security vulnerabilities based on their severity:
    • Critical: Resolved within 14 days.
    • High: Resolved within 30 days.
    • Medium: Resolved within 90 days.
    • Low: Resolved within 180 days.
    • Informational: Addressed as needed.
  • Release Schedule: Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
  • Version Support: Depending on the Ory Enterprise License agreement multiple versions can be supported.

Ory Network Users

  • Security SLA: The following timelines apply for security vulnerabilities based on their severity:
    • Critical: Resolved within 14 days.
    • High: Resolved within 30 days.
    • Medium: Resolved within 90 days.
    • Low: Resolved within 180 days.
    • Informational: Addressed as needed.
  • Release Schedule: Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA.
  • Version Support: Ory Network always runs the most current version.

Reporting a Vulnerability

Please head over to our security policy to learn more about reporting security vulnerabilities.

Learn more about advisories related to ory/oathkeeper in the GitHub Advisory Database