We received a report about missing rate-limiting functionality that is explicitly mentioned as out-of-scope of our security program. Since migrating our backends to AWS, we have no proper rate-limiting functionality in place. Due to complexity of our infra stack, we cannot use the standard WAF solution AWS provides and need to create our own solution. The implementation is still in progress. Using captcha for limiting signins is not desirable. The rationale is the same as for not enforcing complex passwords.