# Ory Bug Bounty Program As a security focused company, Ory appreciates and encourages any interest by security researches and white-hat hackers in the companies products. To support the global infosec community, we award the responsible disclosure of vulnerabilities and data leaks according to the following policies. ## Responsible Disclosure A responsible disclosure always starts with contacting the Ory security team, using one of the channels specified at [https://www.ory.sh/.well-known/security.txt](https://www.ory.sh/.well-known/security.txt). Provide all details to reproduce the issue in form of a **non-public git repository** including all setup and execution steps, the binary and source of the exploit, as well as an example exploit payload (if applicable). Low-quality reports may be disqualified. The Ory security team will contact you within 96 hours to confirm the issue or ask for further details. Do not publish or share any details regarding the issue until the Ory security team explicitly permits the publication in written form. The Ory security team will permit publication once incidence response and patches are fully enrolled. Any exploits shall not be tested against environments hosted by Ory or any third party without the explicit consent to do so. In case this happens, the submission is disqualified. ## Awards The Ory maintainers have final decision on which issues constitute security vulnerabilities. Reports for already known issues will only be awarded with regards to the new information they add to the issue. Ory will score the severity of the disclosed issue according to [CVSS 3.1](https://www.first.org/cvss/v3.1/specification-document). Ory reserves the right to solely determine the factors affecting the score calculation based on the submitted exploit. Effectively this means that you have to prove e.g. the loss of confidentiality to have that included in the CVSS calculation. The bounty (in US dollars) for eligible issues in one of the main Ory open source projects (Hydra, Kratos, Keto, Oathkeeper, fosite) OR the Ory SaaS is paid according to the following table: | CVSS Rating | Amount (USD) | | ------------------- | ------------ | | Low 0.1 - 3.9 | 125 | | Medium 4.0 - 6.9 | 250 | | High 7.0 - 8.9 | 500 | | Critical 9.0 - 10.0 | 1000 | Other Ory open source projects may still be eligible depending on the impact of the disclosed issue. ### Additional Expenses In case you required exceptional expenses for providing and disclosing the issue, Ory will refund you these expenses, if and only if you provide the original invoice and a valid reason for requiring the resources. All resources have to be directly tied to the disclosure of the issue. This clause also applies to exceptionally huge time-investment from your side. In that case, file an invoice yourself according to your local law, including a description of the work done on your side. It is Ory's final decision whether the reasons for additional expenses are valid and the additional expenses are refunded. ## Disclaimers This document is not legally binding. It's sole purpose is to define the submission and follow-up process of reporting security issues to Ory. The content of this document may change at any time.