http4k Ltd is committed to the security of our software and our users. We welcome responsible security research and will work with anyone who reports vulnerabilities to us in good faith. This policy describes how to report security vulnerabilities in http4k products and what you can expect from us.

This policy applies to all http4k products, including the open-source http4k toolkit and http4k Enterprise Edition. It has been prepared in accordance with the EU Cyber Resilience Act (Regulation 2024/2847), including the coordinated vulnerability disclosure requirements of Article 13(6).

How to Report a Vulnerability#

Email: [email protected]

GitHub: Use GitHub Security Advisories (private vulnerability reporting - messages are encrypted by default)

Please include the following in your report:

What to Expect#

StageTimeline
AcknowledgementWithin 48 hours of your report
Initial assessmentWithin 5 working days
Status updateAt least every 14 days until resolution
Fix developmentVaries by severity (Critical: 48 hours target; High: 7 days; Medium: 30 days)
Public disclosureCoordinated with reporter; typically within 90 days of the initial report

We will keep you informed throughout the process and will not publish details of the vulnerability without coordinating with you first.

Scope#

In scope#

Out of scope#

Safe Harbour#

http4k Ltd will not pursue legal action against security researchers who:

If you act in good faith under this policy, we will consider your research to be authorised and will not initiate legal proceedings against you in relation to your research.

Our Commitments#

When we receive a valid vulnerability report, we commit to:

  1. Acknowledge your report within 48 hours.
  2. Assess the vulnerability and assign a severity rating using CVSS v3.1.
  3. Develop and release a fix according to our severity-based timelines.
  4. Assign a CVE for confirmed vulnerabilities and publish a GitHub Security Advisory (GHSA).
  5. Credit you in our security advisory (unless you prefer to remain anonymous).
  6. Update our SBOMs - we publish CycloneDX SBOMs for every module, signed with cosign.
  7. Notify our users via our security advisories page, GitHub, and direct communication with Enterprise customers.
  8. Report upstream - if the vulnerability is in a third-party or open-source component integrated into our products, we will report it to the component maintainer and share relevant fixes, in accordance with CRA Article 13(6).
  9. Report to authorities - where required by the EU Cyber Resilience Act (Article 14), we will notify the designated CSIRT and ENISA of actively exploited vulnerabilities within the mandated timeframes.

Upstream and Downstream Coordination (CRA Article 13(6))#

When we identify a vulnerability in a component we integrate - including open-source dependencies - we will:

Similarly, we expect downstream users who discover vulnerabilities in http4k products to report them to us using this policy, so we can coordinate remediation across the ecosystem.

Vulnerabilities in Dependencies#

If you discover vulnerabilities in http4k’s dependencies, these should be reported directly to the respective project maintainers. We do not consider the inclusion of a vulnerable dependency in http4k itself to be a vulnerability in http4k, as developers are free to override dependency versions. We strive to keep dependencies updated and will incorporate security patches in subsequent releases.

Recognition#

We maintain a list of security researchers who have responsibly disclosed vulnerabilities to us on our security advisories page. If you would like to be recognised, please let us know in your report.

Contact#

This policy is reviewed annually and updated as needed.