Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update security policy #1837

Merged
merged 1 commit into from
Aug 27, 2024
Merged

chore: update security policy #1837

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 46 additions & 10 deletions docs/ecosystem/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,56 @@ id: security
title: Security policy
---

:::info Private Bug Bounty Program
This security policy outlines the security support commitments for different types of Ory users.

[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security SLAs and process.

### Apache 2.0 License users

- **Security SLA:** No security Service Level Agreement (SLA) is provided.
- **Release Schedule:** Releases are planned every 3 to 6 months. These releases will contain all security fixes implemented up to
that point.
- **Version Support:** Security patches are only provided for the current release version.

### Ory Enterprise License customers

- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are provided as soon as vulnerabilities are resolved, adhering to the above SLA.
- **Version Support:** Depending on the Ory Enterprise License agreement multiple versions can be supported.

### Ory Network users

- **Security SLA:** The following timelines apply for security vulnerabilities based on their severity:
- Critical: Resolved within 14 days.
- High: Resolved within 30 days.
- Medium: Resolved within 90 days.
- Low: Resolved within 180 days.
- Informational: Addressed as needed.
- **Release Schedule:** Updates are automatically deployed to Ory Network as soon as vulnerabilities are resolved, adhering to the
above SLA.
- **Version Support:** Ory Network always runs the most current version.

### Reporting a vulnerability

Please read the following section to learn more about reporting security vulnerabilities at the Ory Bug Bounty Program.

## Ory bug bounty program

Ory is working with Hackerone to provide a private bug bounty program for all Ory products. If you are interested in joining the
program, please [create an account at Hackerone](https://hackerone.com/sign_up) and [request access](mailto:[email protected]). The
following is the policy for the private bug bounty program.

:::

Being a security-focused company, Ory appreciates, encourages, and rewards feedback from the security community. Ory is open
source at heart, so feel free to inspect our [source code](https://github.com/ory). Ory commits to following HackerOne's
[vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) and we ask you to do the same. Thank you
for helping keep Ory and our users safe!

## Research guidelines
### Research guidelines

While security-testing Ory systems, please make a good-faith effort to avoid privacy violations, destruction of data, and
interruption or degradation of our service. Interact only with accounts you own or with the explicit permission of the account
Expand All @@ -28,7 +64,7 @@ Prohibited activities:
- security scanning with more than 5 QPS against Ory domains
- any activity that leads to disruption of our service longer than 5 minutes

## What can you report
### What can you report

Please report any potential security vulnerability that potentially leads to sensible exploits. Please report vulnerabilities in
Ory's upstream dependencies to the respective projects and only reach out to us if the report to upstream was unsuccessful.
Expand All @@ -54,14 +90,14 @@ are attacks
Please use Ory's customer support channels if you need help tuning Ory components for security or need help applying
security-related updates.

## How to report
### How to report

Submit one vulnerability per report unless you need to chain vulnerabilities to achieve impact.

Please provide a detailed vulnerability report with step-by-step instructions to reproduce the issue. Only vulnerabilities that we
can reproduce are eligible for a reward.

## Review
### Review

Ory commits to these response timelines:

Expand All @@ -71,7 +107,7 @@ Ory commits to these response timelines:

We'll stay in close contact with you throughout the process.

## Rewards
### Rewards

While all reward decision are up to our discretion, we generally award these monetary bounties out of our total yearly bounty
budget for security vulnerabilities that we can reproduce:
Expand All @@ -87,11 +123,11 @@ When receiving multiple reports about the same issue, we award the first report
vulnerabilities caused by the same underlying issue result in only one bounty. We award public Zero-day vulnerabilities that have
had an official patch for less than one month on a case-by-case basis

## Publication
### Publication

Please do not discuss any vulnerabilities, even resolved ones, outside this program without written consent from Ory.

## Safe harbor
### Safe harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and not result in legal
action from Ory against you. If you face legal action in connection with activities conducted under this policy, Ory will take
Expand Down
Loading