API & Usage Limits

The API is completely free — no keys, no signup, no cost. We want you to use it. The only limits are rate limits to keep things fast for everyone. We don't track you or sell your data — see our privacy policy.

API Rate Limits

All rate limits are applied per IP address. When exceeded, the API returns HTTP 429 Too Many Requests.

Endpoint	Limit	Window
General API /api/v1/vulns, /api/v1/stats, etc.	60/min	1 minute, sliding
Search /?q=... and /api/v1/vulns?q=...	30/min	1 minute, sliding
Exploit downloads /api/v1/exploits/{id}/download	30/min	1 minute, sliding

Response headers

X-RateLimit-Limit: Maximum requests allowed in the window

X-RateLimit-Remaining: Requests remaining before throttling

X-RateLimit-Reset: Unix timestamp when the window resets

Retry-After: Seconds to wait (only on 429 responses)

Abuse Protection

Automated abuse detection protects the platform. Offending IPs are banned at the Cloudflare edge.

Behavior	Threshold	Ban
Ignoring rate limits Continued requests after 429	10 in 10 min	2 hours
Search abuse Automated enumeration of queries	40 in 5 min	1 hour
Exploit harvesting Mass-downloading exploit code	50 in 10 min	4 hours
API data scraping Bulk pagination of vuln database	300 in 5 min	1 hour
API key brute-force Repeated authentication failures	5 in 10 min	4 hours

Fair Use

Encouraged

Searching and browsing vulnerabilities

Downloading exploits for security research

Integrating the API into security workflows

Monitoring CVEs or products via RSS feeds

Caching API responses locally

Not Allowed

Bulk scraping the entire database

Mirroring all exploit code files

Automated brute-force of API keys

Running load tests against the platform

Circumventing limits with rotating IPs