diff --git a/SECURITY.md b/SECURITY.md index 026e3afb..61045148 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,51 +3,54 @@ # Ory Security Policy -## Overview +This policy outlines Ory's security commitments and practices for users across +different licensing and deployment models. -This security policy outlines the security support commitments for different -types of Ory users. +To learn more about Ory's security service level agreements (SLAs) and +processes, please [contact us](https://www.ory.sh/contact/). -[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security -SLAs and process. - -## Apache 2.0 License Users +## Ory Network Users -- **Security SLA:** No security Service Level Agreement (SLA) is provided. -- **Release Schedule:** Releases are planned every 3 to 6 months. These releases - will contain all security fixes implemented up to that point. -- **Version Support:** Security patches are only provided for the current - release version. +- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according + to the following guidelines: + - Critical: Typically addressed within 14 days. + - High: Typically addressed within 30 days. + - Medium: Typically addressed within 90 days. + - Low: Typically addressed within 180 days. + - Informational: Addressed as necessary. + These timelines are targets and may vary based on specific circumstances. +- **Release Schedule:** Updates are deployed to the Ory Network as + vulnerabilities are resolved. +- **Version Support:** The Ory Network always runs the latest version, ensuring + up-to-date security fixes. ## Ory Enterprise License Customers -- **Security SLA:** The following timelines apply for security vulnerabilities - based on their severity: - - Critical: Resolved within 14 days. - - High: Resolved within 30 days. - - Medium: Resolved within 90 days. - - Low: Resolved within 180 days. - - Informational: Addressed as needed. -- **Release Schedule:** Updates are provided as soon as vulnerabilities are - resolved, adhering to the above SLA. -- **Version Support:** Depending on the Ory Enterprise License agreement - multiple versions can be supported. +- **Security SLA:** Ory addresses vulnerabilities based on their severity: + - Critical: Typically addressed within 14 days. + - High: Typically addressed within 30 days. + - Medium: Typically addressed within 90 days. + - Low: Typically addressed within 180 days. + - Informational: Addressed as necessary. + These timelines are targets and may vary based on specific circumstances. +- **Release Schedule:** Updates are made available as vulnerabilities are + resolved. Ory works closely with enterprise customers to ensure timely updates + that align with their operational needs. +- **Version Support:** Ory may provide security support for multiple versions, + depending on the terms of the enterprise agreement. -## Ory Network Users +## Apache 2.0 License Users -- **Security SLA:** The following timelines apply for security vulnerabilities - based on their severity: - - Critical: Resolved within 14 days. - - High: Resolved within 30 days. - - Medium: Resolved within 90 days. - - Low: Resolved within 180 days. - - Informational: Addressed as needed. -- **Release Schedule:** Updates are automatically deployed to Ory Network as - soon as vulnerabilities are resolved, adhering to the above SLA. -- **Version Support:** Ory Network always runs the most current version. +- **Security SLA:** Ory does not provide a formal SLA for security issues under + the Apache 2.0 License. +- **Release Schedule:** Releases prioritize new functionality and include fixes + for known security vulnerabilities at the time of release. While major + releases typically occur one to two times per year, Ory does not guarantee a + fixed release schedule. +- **Version Support:** Security patches are only provided for the latest release + version. ## Reporting a Vulnerability -Please head over to our -[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more -about reporting security vulnerabilities. +For details on how to report security vulnerabilities, visit our +[security policy documentation](https://www.ory.sh/docs/ecosystem/security).