| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
- Email: Send details to [email protected]
- Subject: Include "SECURITY" in the subject line
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Resolution Timeline: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release
- We'll work with you to understand and validate the issue
- We'll develop and test a fix
- We'll release the fix and publicly disclose the vulnerability
- We'll credit you in the release notes (unless you prefer to remain anonymous)
When using hitlimit:
- Use Redis in production for distributed deployments
- Set appropriate limits - too high defeats the purpose, too low affects users
- Monitor rate limit hits - unusual patterns may indicate attacks
- Use HTTPS - IP-based limiting relies on accurate client IPs
- Configure trusted proxies - if behind a load balancer
Thank you for helping keep hitlimit secure!