Skip to content

Commit

Permalink
chore: update repository templates to ory/meta@43af518
Browse files Browse the repository at this point in the history
  • Loading branch information
aeneasr committed Aug 27, 2024
1 parent b9b9f87 commit 42934ea
Showing 1 changed file with 20 additions and 33 deletions.
53 changes: 20 additions & 33 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,43 +1,30 @@
# Ory Security Policy
<!-- AUTO-GENERATED, DO NOT EDIT! -->
<!-- Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/SECURITY.md -->

## Overview
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

This security policy outlines the security support commitments for different
types of Ory users.
- [Security Policy](#security-policy)
- [Supported Versions](#supported-versions)
- [Reporting a Vulnerability](#reporting-a-vulnerability)

## Apache 2.0 License Users
<!-- END doctoc generated TOC please keep comment here to allow auto update -->

- **Security SLA:** No security Service Level Agreement (SLA) is provided.
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point.
- **Version Support:** Security patches are only provided for the current release version.
# Security Policy

## Ory Enterprise License Customers
## Supported Versions

- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Depending on the Ory Enterprise License agreement multiple versions can be supported.
We release patches for security vulnerabilities. Which versions are eligible for
receiving such patches depends on the CVSS v3.0 Rating:

## Ory Network Users

- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Ory Network always runs the most current version.

[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security SLAs and process.
| CVSS v3.0 | Supported Versions |
| --------- | ----------------------------------------- |
| 9.0-10.0 | Releases within the previous three months |
| 4.0-8.9 | Most recent release |

## Reporting a Vulnerability

If you suspect a security vulnerability, please report it to
**[[email protected]](mailto:[email protected])**. We will respond within 48 hours.
If confirmed, we will work to release a patch as soon as possible, typically
within a few days depending on the issue's complexity.
Please report (suspected) security vulnerabilities to
**[[email protected]](mailto:[email protected])**. You will receive a response from
us within 48 hours. If the issue is confirmed, we will release a patch as soon
as possible depending on complexity but historically within a few days.

0 comments on commit 42934ea

Please sign in to comment.