Skip to content

Security: ory/meta

Security

SECURITY.md

Ory Security Policy

Overview

This security policy outlines the security support commitments for different types of Ory users.

Apache 2.0 License Users

  • Security SLA: No security Service Level Agreement (SLA) is provided.
  • Release Schedule: Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point.
  • Version Support: Security patches are only provided for the current release version.

Ory Enterprise License Customers

  • Security SLA: The following timelines apply for security vulnerabilities based on their severity:
    • Critical: Resolved within 14 days.
    • High: Resolved within 30 days.
    • Medium: Resolved within 90 days.
    • Low: Resolved within 180 days.
    • Informational: Addressed as needed.
  • Release Schedule: Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
  • Version Support: Depending on the Ory Enterprise License agreement multiple versions can be supported.

Ory Network Users

  • Security SLA: The following timelines apply for security vulnerabilities based on their severity:
    • Critical: Resolved within 14 days.
    • High: Resolved within 30 days.
    • Medium: Resolved within 90 days.
    • Low: Resolved within 180 days.
    • Informational: Addressed as needed.
  • Release Schedule: Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA.
  • Version Support: Ory Network always runs the most current version.

Get in touch to learn more about Ory's security SLAs and process.

Reporting a Vulnerability

If you suspect a security vulnerability, please report it to [email protected]. We will respond within 48 hours. If confirmed, we will work to release a patch as soon as possible, typically within a few days depending on the issue's complexity.

There aren’t any published security advisories