Has Ory Kratos undergone a 3rd party security audit? I think I saw reference to it somewhere but cannot find it

What kind of audit are you looking for? Ory has a number of certifications that also include security audits: https://www.ory.sh/docs/security-compliance/compliance-and-certifications Ory Network also conducts quarterly/yearly pentests, which also include audits of the underlying OSS packages.

@magnificent-energy-493 Thanks for taking the time. I'm looking for a record of a third party application security audit (pentest). Really just at the application layer of Kratos and its api-centric design. 100% understand if you perform audits internally, but as you probably guessed I'm looking at a compliance requirement 😄 I think the OpenID certification will be valuable, but I don't know if it really meets the requirement. I don't need documentation on the audit, just proof that it was done (even if it's just a line in the documentation).

You can get a summary of the pentest in our trust center: https://trust.ory.sh/. Since afaik you are not a customer of Ory we would need you to sign an NDA to access it. Please contact office@ory.sh and put me (vincent@ory.sh) in CC for this.

Thanks!