SECURITY.md
<!-- AUTO-GENERATED, DO NOT EDIT! -->
<!-- Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/SECURITY.md -->
# Ory Security Policy
## Overview
This security policy outlines the security support commitments for different
types of Ory users.
[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
SLAs and process.
## Apache 2.0 License Users
- **Security SLA:** No security Service Level Agreement (SLA) is provided.
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
will contain all security fixes implemented up to that point.
- **Version Support:** Security patches are only provided for the current
release version.
## Ory Enterprise License Customers
- **Security SLA:** The following timelines apply for security vulnerabilities
based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are provided as soon as vulnerabilities are
resolved, adhering to the above SLA.
- **Version Support:** Depending on the Ory Enterprise License agreement
multiple versions can be supported.
## Ory Network Users
- **Security SLA:** The following timelines apply for security vulnerabilities
based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are automatically deployed to Ory Network as
soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Ory Network always runs the most current version.
## Reporting a Vulnerability
Please head over to our
[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more
about reporting security vulnerabilities.