Security

Ory Security Policy

This policy outlines Ory's security commitments and practices for users acrossdifferent licensing and deployment models.

To learn more about Ory's security service level agreements (SLAs) andprocesses, pleasecontact us.

Security SLA: Ory addresses vulnerabilities in the Ory Network accordingto the following guidelines:
- Critical: Typically addressed within 14 days.
- High: Typically addressed within 30 days.
- Medium: Typically addressed within 90 days.
- Low: Typically addressed within 180 days.
- Informational: Addressed as necessary.
  These timelines are targets and may vary based on specific circumstances.
Release Schedule: Updates are deployed to the Ory Network asvulnerabilities are resolved.
Version Support: The Ory Network always runs the latest version, ensuringup-to-date security fixes.

Security SLA: Ory addresses vulnerabilities based on their severity:
- Critical: Typically addressed within 14 days.
- High: Typically addressed within 30 days.
- Medium: Typically addressed within 90 days.
- Low: Typically addressed within 180 days.
- Informational: Addressed as necessary.
  These timelines are targets and may vary based on specific circumstances.
Release Schedule: Updates are made available as vulnerabilities areresolved. Ory works closely with enterprise customers to ensure timely updatesthat align with their operational needs.
Version Support: Ory may provide security support for multiple versions,depending on the terms of the enterprise agreement.

Security SLA: Ory does not provide a formal SLA for security issues underthe Apache 2.0 License.
Release Schedule: Releases prioritize new functionality and include fixesfor known security vulnerabilities at the time of release. While majorreleases typically occur one to two times per year, Ory does not guarantee afixed release schedule.
Version Support: Security patches are only provided for the latest releaseversion.

For details on how to report security vulnerabilities, visit oursecurity policy documentation.