> a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.
Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?
It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.
Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?
It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.