This security policy outlines the security support commitments for different types of Ory users.

• Security SLA: No security Service Level Agreement (SLA) is provided.
• Release Schedule: Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to that point.
• Version Support: Security patches are only provided for the current release version.

• Security SLA: The following timelines apply for security vulnerabilities based on their severity:
  • Critical: Resolved within 14 days.
  • High: Resolved within 30 days.
  • Medium: Resolved within 90 days.
  • Low: Resolved within 180 days.
  • Informational: Addressed as needed.
• Release Schedule: Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
• Version Support: Depending on the Ory Enterprise License agreement multiple versions can be supported.

• Security SLA: The following timelines apply for security vulnerabilities based on their severity:
  • Critical: Resolved within 14 days.
  • High: Resolved within 30 days.
  • Medium: Resolved within 90 days.
  • Low: Resolved within 180 days.
  • Informational: Addressed as needed.
• Release Schedule: Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the above SLA.
• Version Support: Ory Network always runs the most current version.

Get in touch to learn more about Ory's security SLAs and process.

If you suspect a security vulnerability, please report it to security@ory.sh. We will respond within 48 hours. If confirmed, we will work to release a patch as soon as possible, typically within a few days depending on the issue's complexity.