If you find a security issue in HTTP Toolkit, please get in touch privately at security@httptoolkit.com with the details so this can be resolved. For any other non-sensitive issues, please open an issue on GitHub to discuss the problem you're facing.
The below defines the formal incident reporting procedure for this, for customers whose procurement rules require HTTP Toolkit to have a detailed formalized policy:
Security incidents should be reported to: security@httptoolkit.com All other incidents should be reported via GitHub issues.
For provider-specific issues, additional notifications should be sent to:
- Auth0 Support (authentication issues)
- Paddle or PayPro Global Support (payment issues)
- Scaleway or Bunny CDN Support (infrastructure/CDN issues)
- Security breaches
- Unauthorized access to systems
- Data leak or exposure
- Complete service unavailability
- Target Response Time: 24 hours
- Maximum Response Time: 48 hours
- Service degradation affecting all users
- Authentication system disruption
- Payment system disruption
- Critical infrastructure failure
- Target Response Time: 48 hours
- Maximum Response Time: 72 hours
- Partial service degradation
- Non-critical infrastructure issues
- Performance degradation
- Target Response Time: 48 hours
- Maximum Response Time: 2 weeks
- Minor bugs
- Non-critical feature issues
- UI/UX issues
- Target Response Time: 1 week
- Maximum Response Time: 2 weeks
All incident reports will be retained for a minimum of two years. The incident response procedure will be reviewed annually and updated as needed.