This security policy outlines the security support commitments for different types of Ory users.
- Security SLA: No security Service Level Agreement (SLA) is provided.
- Release Schedule: Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point.
- Version Support: Security patches are only provided for the current release version.
- Security SLA: The following timelines apply for security vulnerabilities
based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- Release Schedule: Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
- Version Support: Depending on the Ory Enterprise License agreement multiple versions can be supported.
- Security SLA: The following timelines apply for security vulnerabilities
based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- Release Schedule: Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA.
- Version Support: Ory Network always runs the most current version.
Get in touch to learn more about Ory's security SLAs and process.
If you suspect a security vulnerability, please report it to security@ory.sh. We will respond within 48 hours. If confirmed, we will work to release a patch as soon as possible, typically within a few days depending on the issue's complexity.