Test fixture

Sec-Missing-Rate-Limit-Login

Securityv2 — Resilienceeasyscorer: rubric_json_metrics

Secure code changes, vulnerability recognition, and safe defaults.

How it is scored

The model receives the prompt (and optional system message). The run uses scorer rubric_json_metrics with the JSON configuration below. Pass/fail and partial credit are determined entirely by that scorer against the model output; no human grading.

User prompt

Return JSON only with keys verdict, risk, mitigation. A login endpoint accepts unlimited authentication attempts with no rate limiting, account lockout, or throttling mechanism in place.

Scorer config

{
  "metrics": {
    "correct": {
      "checks": [
        {
          "contains": [
            "brute force"
          ]
        },
        {
          "contains": [
            "rate limit"
          ]
        },
        {
          "contains": [
            "lockout"
          ]
        },
        {
          "contains": [
            "account enumeration"
          ]
        },
        {
          "contains": [
            "throttle"
          ]
        }
      ]
    },
    "hidden": {
      "checks": [
        {
          "contains": [
            "CAPTCHA"
          ]
        },
        {
          "contains": [
            "exponential backoff"
          ]
        },
        {
          "contains": [
            "IP-based"
          ]
        },
        {
          "contains": [
            "consistent response time"
          ]
        },
        {
          "contains": [
            "MFA"
          ]
        }
      ]
    }
  }
}

Run parameters

temperature

max_tokens

420

timeout (s)

120

type

scored

file

sec-missing-rate-limit-login.json

← PreviousSec-Md5-Password-Hash

Next →Sec-Oauth-Pkce-Verifier