chore: update repository templates to ory/meta@939b80f

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -1,43 +1,48 @@
 # AUTO-GENERATED, DO NOT EDIT!
 # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml
 
-description: "Create a bug report"
+description: 'Create a bug report'
 labels:
   - bug
-name: "Bug Report"
+name: 'Bug Report'
 body:
   - attributes:
       value: "Thank you for taking the time to fill out this bug report!\n"
     type: markdown
   - attributes:
-      label: "Preflight checklist"
+      label: 'Preflight checklist'
       options:
-        - label: "I could not find a solution in the existing issues, docs, nor
-            discussions."
+        - label:
+            'I could not find a solution in the existing issues, docs, nor
+            discussions.'
           required: true
-        - label: "I agree to follow this project's [Code of
+        - label:
+            "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/examples/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label: "I have read and am following this repository's [Contribution
+        - label:
+            "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/examples/blob/master/CONTRIBUTING.md)."
           required: true
-        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label: "I am signed up to the [Ory Security Patch
-            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
+        - label:
+            'I have joined the [Ory Community Slack](https://slack.ory.sh).'
+        - label:
+            'I am signed up to the [Ory Security Patch
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter).'
     id: checklist
     type: checkboxes
   - attributes:
       description:
-        "Enter the slug or API URL of the affected Ory Network project. Leave
-        empty when you are self-hosting."
-      label: "Ory Network Project"
-      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+        'Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting.'
+      label: 'Ory Network Project'
+      placeholder: 'https://<your-project-slug>.projects.oryapis.com'
     id: ory-network-project
     type: input
   - attributes:
-      description: "A clear and concise description of what the bug is."
-      label: "Describe the bug"
-      placeholder: "Tell us what you see!"
+      description: 'A clear and concise description of what the bug is.'
+      label: 'Describe the bug'
+      placeholder: 'Tell us what you see!'
     id: describe-bug
     type: textarea
     validations:
@@ -51,27 +56,28 @@ body:
         1. Run `docker run ....`
         2. Make API Request to with `curl ...`
         3. Request fails with response: `{"some": "error"}`
-      label: "Reproducing the bug"
+      label: 'Reproducing the bug'
     id: reproduce-bug
     type: textarea
     validations:
       required: true
   - attributes:
-      description: "Please copy and paste any relevant log output. This will be
+      description:
+        'Please copy and paste any relevant log output. This will be
         automatically formatted into code, so no need for backticks. Please
-        redact any sensitive information"
-      label: "Relevant log output"
+        redact any sensitive information'
+      label: 'Relevant log output'
       render: shell
       placeholder: |
         log=error ....
     id: logs
     type: textarea
   - attributes:
       description:
-        "Please copy and paste any relevant configuration. This will be
+        'Please copy and paste any relevant configuration. This will be
         automatically formatted into code, so no need for backticks. Please
-        redact any sensitive information!"
-      label: "Relevant configuration"
+        redact any sensitive information!'
+      label: 'Relevant configuration'
       render: yml
       placeholder: |
         server:
@@ -80,14 +86,14 @@ body:
     id: config
     type: textarea
   - attributes:
-      description: "What version of our software are you running?"
+      description: 'What version of our software are you running?'
       label: Version
     id: version
     type: input
     validations:
       required: true
   - attributes:
-      label: "On which operating system are you observing this issue?"
+      label: 'On which operating system are you observing this issue?'
       options:
         - Ory Network
         - macOS
@@ -98,19 +104,19 @@ body:
     id: operating-system
     type: dropdown
   - attributes:
-      label: "In which environment are you deploying?"
+      label: 'In which environment are you deploying?'
       options:
         - Ory Network
         - Docker
-        - "Docker Compose"
-        - "Kubernetes with Helm"
+        - 'Docker Compose'
+        - 'Kubernetes with Helm'
         - Kubernetes
         - Binary
         - Other
     id: deployment
     type: dropdown
   - attributes:
-      description: "Add any other context about the problem here."
+      description: 'Add any other context about the problem here.'
       label: Additional Context
     id: additional
     type: textarea

SECURITY.md

@@ -10,21 +10,54 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# Security Policy
-
-## Supported Versions
-
-We release patches for security vulnerabilities. Which versions are eligible for
-receiving such patches depends on the CVSS v3.0 Rating:
-
-| CVSS v3.0 | Supported Versions                        |
-| --------- | ----------------------------------------- |
-| 9.0-10.0  | Releases within the previous three months |
-| 4.0-8.9   | Most recent release                       |
+# Ory Security Policy
+
+## Overview
+
+This security policy outlines the security support commitments for different
+types of Ory users.
+
+## Apache 2.0 License Users
+
+- **Security SLA:** No security Service Level Agreement (SLA) is provided.
+- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
+  will contain all security fixes implemented up to that point.
+- **Version Support:** Security patches are only provided for the current
+  release version.
+
+## Ory Enterprise License Customers
+
+- **Security SLA:** The following timelines apply for security vulnerabilities
+  based on their severity:
+  - Critical: Resolved within 14 days.
+  - High: Resolved within 30 days.
+  - Medium: Resolved within 90 days.
+  - Low: Resolved within 180 days.
+  - Informational: Addressed as needed.
+- **Release Schedule:** Updates are provided as soon as vulnerabilities are
+  resolved, adhering to the above SLA.
+- **Version Support:** Depending on the Ory Enterprise License agreement
+  multiple versions can be supported.
+
+## Ory Network Users
+
+- **Security SLA:** The following timelines apply for security vulnerabilities
+  based on their severity:
+  - Critical: Resolved within 14 days.
+  - High: Resolved within 30 days.
+  - Medium: Resolved within 90 days.
+  - Low: Resolved within 180 days.
+  - Informational: Addressed as needed.
+- **Release Schedule:** Updates are automatically deployed to Ory Network as
+  soon as vulnerabilities are resolved, adhering to the above SLA.
+- **Version Support:** Ory Network always runs the most current version.
+
+[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
+SLAs and process.
 
 ## Reporting a Vulnerability
 
-Please report (suspected) security vulnerabilities to
-**[security@ory.sh](mailto:security@ory.sh)**. You will receive a response from
-us within 48 hours. If the issue is confirmed, we will release a patch as soon
-as possible depending on complexity but historically within a few days.
+If you suspect a security vulnerability, please report it to
+**[security@ory.sh](mailto:security@ory.sh)**. We will respond within 48 hours.
+If confirmed, we will work to release a patch as soon as possible, typically
+within a few days depending on the issue's complexity.