CongestionControls takes security seriously. As a library that handles request throttling, caching, and resource management, we are committed to ensuring the security and reliability of our codebase.

If you discover a security vulnerability in CongestionControls, please help us by reporting it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

• Email: agurudf@gmail.com
• Subject: [SECURITY] Vulnerability Report - CongestionControls

When reporting a security vulnerability, please include:

1. Description: A clear description of the vulnerability
2. Impact: What an attacker could achieve by exploiting this vulnerability
3. Steps to Reproduce: Detailed steps to reproduce the issue
4. Proof of Concept: If possible, include a proof of concept
5. Environment: Your environment details (Python version, OS, etc.)
6. Suggested Fix: If you have suggestions for fixing the issue

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
2. Investigation: We will investigate the issue and determine its severity
3. Updates: We will provide regular updates on our progress (at least weekly)
4. Fix Development: We will develop and test a fix
5. Disclosure: We will coordinate disclosure with you
6. Release: We will release the fix and security advisory

We aim to resolve critical security issues within 30 days of reporting.

When using CongestionControls, consider these security aspects:

• Key Generation: Be careful with key functions to avoid key exhaustion attacks
• Rate Limits: Set appropriate rate limits based on your use case
• Key Space: Monitor for unusually high key cardinality

# Good: Specific keys for rate limiting
@rate_limiter(key_func=lambda user_id: f"user:{user_id}", max_calls=100, window_seconds=60)

# Risky: Generic keys that could be exhausted
@rate_limiter(key_func=lambda *args: "global", max_calls=1000, window_seconds=60)

• TTL Settings: Set appropriate TTL values to prevent stale data issues
• Key Functions: Ensure key functions don't leak sensitive information
• Memory Usage: Monitor memory usage for high-cardinality keys

# Good: Reasonable TTL for user data
@singleflight(key_func=lambda user_id: f"user:{user_id}", ttl=300)  # 5 minutes

# Risky: Very long TTL
@singleflight(key_func=lambda user_id: f"user:{user_id}", ttl=86400)  # 24 hours

• Input Validation: Always validate inputs to decorators
• Thread Safety: Ensure thread-safe implementations
• Resource Limits: Implement proper resource limits
• Error Handling: Don't leak sensitive information in error messages

• No hardcoded secrets or credentials
• Input validation on all public APIs
• Proper error handling without information leakage
• Thread-safe operations
• Resource limits and bounds checking
• No use of deprecated or vulnerable dependencies

1. Keep Dependencies Updated: Regularly update to the latest versions
2. Use Virtual Environments: Isolate your application dependencies
3. Monitor Usage: Log and monitor decorator usage patterns
4. Regular Audits: Perform regular security audits of your implementation

import os

# Secure configuration loading
RATE_LIMIT_MAX = int(os.getenv('RATE_LIMIT_MAX', '100'))
SINGLEFLIGHT_TTL = float(os.getenv('SINGLEFLIGHT_TTL', '0.2'))

# Validate configuration values
if RATE_LIMIT_MAX <= 0 or RATE_LIMIT_MAX > 10000:
    raise ValueError("Invalid RATE_LIMIT_MAX value")

if SINGLEFLIGHT_TTL < 0 or SINGLEFLIGHT_TTL > 3600:
    raise ValueError("Invalid SINGLEFLIGHT_TTL value")

import logging

logger = logging.getLogger(__name__)

def monitor_rate_limiter(func):
    def wrapper(*args, **kwargs):
        try:
            result = func(*args, **kwargs)
            # Log successful operations
            logger.info(f"Rate limiter allowed request for {func.__name__}")
            return result
        except Exception as e:
            # Log blocked operations
            logger.warning(f"Rate limiter blocked request for {func.__name__}: {e}")
            raise
    return wrapper

• Thread Safety: All decorators are thread-safe for concurrent access
• Memory Management: Automatic cleanup of expired cache entries
• Input Validation: Basic input validation on decorator parameters
• No External Dependencies: Pure Python implementation with no external network calls

• Distributed Caching: Redis-backed singleflight for distributed systems
• Advanced Rate Limiting: Token bucket and leaky bucket algorithms
• Metrics Integration: Integration with monitoring systems
• Configuration Encryption: Encrypted configuration storage

Security updates will be:

1. Released immediately for critical vulnerabilities
2. Coordinated disclosure with reporters
3. Documented in release notes with CVE identifiers when applicable
4. Backported to supported versions when possible

For security-related questions or concerns:

• Email: agurudf@gmail.com
• PGP Key: Available upon request for encrypted communications

We appreciate security researchers who help keep CongestionControls and its users safe. Responsible disclosure will be acknowledged in our security hall of fame (when established).

This security policy applies to the CongestionControls library itself. Users are responsible for securing their applications that use this library.