Skip to content

Security: ory/fosite

Security Navigation

SECURITY.md

Ory Security Policy

This policy outlines Ory's security commitments and practices for users across different licensing and deployment models.

To learn more about Ory's security service level agreements (SLAs) and processes, please contact us.

Ory Network Users

  • Security SLA: Ory addresses vulnerabilities in the Ory Network according to the following guidelines:
    • Critical: Typically addressed within 14 days.
    • High: Typically addressed within 30 days.
    • Medium: Typically addressed within 90 days.
    • Low: Typically addressed within 180 days.
    • Informational: Addressed as necessary.
      These timelines are targets and may vary based on specific circumstances.
  • Release Schedule: Updates are deployed to the Ory Network as vulnerabilities are resolved.
  • Version Support: The Ory Network always runs the latest version, ensuring up-to-date security fixes.

Ory Enterprise License Customers

  • Security SLA: Ory addresses vulnerabilities based on their severity:
    • Critical: Typically addressed within 14 days.
    • High: Typically addressed within 30 days.
    • Medium: Typically addressed within 90 days.
    • Low: Typically addressed within 180 days.
    • Informational: Addressed as necessary.
      These timelines are targets and may vary based on specific circumstances.
  • Release Schedule: Updates are made available as vulnerabilities are resolved. Ory works closely with enterprise customers to ensure timely updates that align with their operational needs.
  • Version Support: Ory may provide security support for multiple versions, depending on the terms of the enterprise agreement.

Apache 2.0 License Users

  • Security SLA: Ory does not provide a formal SLA for security issues under the Apache 2.0 License.
  • Release Schedule: Releases prioritize new functionality and include fixes for known security vulnerabilities at the time of release. While major releases typically occur one to two times per year, Ory does not guarantee a fixed release schedule.
  • Version Support: Security patches are only provided for the latest release version.

Reporting a Vulnerability

For details on how to report security vulnerabilities, visit our security policy documentation.