← Home
Updated continuously

Changelog

What's shipped recently. Subscribe to the RSS feed for the longer-form posts behind these.

2026-04-15
  • New: 'What we check' capabilities section on the homepage — 50+ modules across 7 categories
  • New: blog redesign with hero + card grid + tags + reading time
  • New: /.well-known/security.txt for responsible-disclosure researchers
  • New: per-user hourly scan rate-limit + email-verify gate + target-add flood detection
  • New: public /health endpoint with live scanner state
  • Fix: text selection in finding rows no longer collapses the row
  • Infra: scaled to t3.2xlarge for HN-launch traffic; CF cache + rate-limit rules deployed
  • Billing: Stripe production live (PAYG, Monthly, Pro all chargeable)
2026-04-14
  • New: 14 modules — GraphQL introspection, default-port DB probe, infra-leak paths, S3/GCS bucket extraction, OAuth open-redirect, JWT weak-secret crack, session entropy, Hasura anonymous-role audit, typosquat detection, K8s/Docker unauth API checks, Supabase service_role JWT detection, plus 17 new secret patterns
  • Fix: ai-triage no longer over-demotes deterministic findings
  • Fix: Supabase deep-probe now scans JS bundles (was HTML-only) and probes real table names extracted from .from() / .rpc() / .storage / .functions calls
2026-04-13
  • New: AI chat prompt-injection probe with 2 minimal canary probes per endpoint
  • New: IDOR / BOLA sweep with PII-leak detection in response bodies
  • New: WAF / CDN fingerprinting (Cloudflare, Akamai, Fastly, Vercel, Netlify, etc.)
2026-04-12
  • New: scan-diff UI — compare two runs for the same target, see what changed
  • New: per-scan email notifications (first-scan welcome, daily digest, CRIT/HIGH alerts)
  • Fix: scoping bug — UNIQUE(host) is now per-user, not global