-
-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
17 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,27 +1,26 @@ | ||
| <!-- START doctoc generated TOC please keep comment here to allow auto update --> | ||
| <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> | ||
| # Ory Security Policy | ||
|
|
||
| - [Security Policy](#security-policy) | ||
| - [Supported Versions](#supported-versions) | ||
| - [Reporting a Vulnerability](#reporting-a-vulnerability) | ||
| ## Overview | ||
|
|
||
| <!-- END doctoc generated TOC please keep comment here to allow auto update --> | ||
| This security policy outlines the security support commitments for different types of Ory users. | ||
|
|
||
| # Security Policy | ||
| ### Apache 2.0 License Users | ||
|
|
||
| ## Supported Versions | ||
| - **Security SLA:** No security Service Level Agreement (SLA) is provided. | ||
| - **Release Schedule:** Releases are planned every 3 to 6 months. | ||
|
|
||
| We release patches for security vulnerabilities. Which versions are eligible | ||
| receiving such patches depend on the CVSS v3.0 Rating: | ||
| ### Ory Network Users & Ory Enterprise License Customers | ||
|
|
||
| | CVSS v3.0 | Supported Versions | | ||
| | --------- | ----------------------------------------- | | ||
| | 9.0-10.0 | Releases within the previous three months | | ||
| | 4.0-8.9 | Most recent release | | ||
| For users on the Ory Network and customers with an Ory Enterprise license, the following timelines apply for security vulnerabilities based on their severity: | ||
|
|
||
| - **Critical:** Resolved within 14 days. | ||
| - **High:** Resolved within 30 days. | ||
| - **Medium:** Resolved within 90 days. | ||
| - **Low:** Resolved within 180 days. | ||
| - **Informational:** Addressed as needed. | ||
|
|
||
| [Get in touch](https://www.ory.sh/contact/) for more information. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Please report (suspected) security vulnerabilities to | ||
| **[[email protected]](mailto:[email protected])**. You will receive a response from | ||
| us within 48 hours. If the issue is confirmed, we will release a patch as soon | ||
| as possible depending on complexity but historically within a few days. | ||
| If you suspect a security vulnerability, please report it to **[[email protected]](mailto:[email protected])**. We will respond within 48 hours. If confirmed, we will work to release a patch as soon as possible, typically within a few days depending on the issue's complexity. |