Skip to main content
VibeAudit Liability Index
mediumrate-limit riskFix order 7

Rate Limit Missing Person

What it is

Public API or auth endpoints are present without visible rate-limit or abuse-control proof.

This usually appears when generated code proves that a feature works but does not leave enough evidence that the launch boundary was checked.

How to fix it

Add per-IP/user rate limits, abuse telemetry, and tests for burst denial.

  1. 1Add per-IP or per-user limits to public API and auth endpoints.
  2. 2Record abuse telemetry for denied bursts.
  3. 3Test burst denial without relying on client-side throttling.

How VibeAudit checks for this

VibeAudit checks this with SAST_LOCAL_STRUCTURAL route/global rate-limit evidence and limited DAST_Q1_ACTIVE burst-denial smoke checks when authorized. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan