Skip to content

What Is a Vezraa Trust Score? (And How to Earn the Badge)

Every Vezraa scan produces a single number: a score from 0 to 100. Here's exactly what goes into it, what 80+ actually means, and how to turn a good score into a badge you can put on your website.

Why a Single Score, Not Just a List of Findings

A raw list of security findings is hard to act on at a glance — is 3 medium findings worse than 1 critical? Is your app "basically fine" or "one leaked key away from a breach"? The score compresses that into one number so you can answer, in one glance, whether you're ready to ship.

It's not a vanity metric. It's calculated from the same 90+ audit categories the scan actually runs — secrets exposure, Supabase RLS, security headers, payment webhook verification, AI provider cost controls, and more — weighted so severity matters more than volume.

How the Score Is Weighted

Not every finding costs you the same number of points. A single critical finding — an exposed database, a leaked service-role key, an unauthenticated admin route — pulls your score down far more than a handful of low-severity items like a missing minor header. This is deliberate: a score of 92 with one unnoticed critical issue would be actively misleading.

In practice this means:

  • A perfect score on 89 of 90 checks, with one critical failure, still won't clear 80.
  • A handful of medium/low findings with zero criticals can still land comfortably above 80.
  • The gap between 79 and 80 isn't cosmetic — it's the exact threshold the Trust Badge system checks against.

The 80+ Threshold and the Trust Badge

Score 80 or higher on a completed scan, and you become eligible to generate a Trust Badge — available on paid Vezraa plans. The badge is tied to that specific scan result, not a generic "we like this app" stamp. It's meant to be embedded on your site or linked from your pricing page, giving visitors (or investors, or enterprise customers doing diligence) a way to verify your app actually passed a real security audit — not just a claim in your marketing copy.

Every badge points to a live verification page rather than a static image you could screenshot and keep forever. That page reflects the badge's real, current status — so trust in the badge doesn't depend on trusting the person who put it on their site.

Why Badges Expire After 90 Days

A Trust Badge is only useful if it reflects something recent. Code changes, dependencies get bumped, a new feature ships with a forgotten auth check — the security posture of an app 8 months ago tells you very little about its posture today.

So every badge carries a 90-day expiry from the day it's issued, the same logic as an SSL certificate needing renewal. When it expires, you run a fresh scan to reissue it. Badges can also be revoked directly if something changes — the verification page always shows the real, current state rather than a frozen snapshot from the day you earned it.

How This Differs From the Leaderboard

The Trust Score and Badge are about your app specifically — a private (or embeddable) signal for your own users and prospects. The Production-Ready Leaderboard is the public, competitive layer built on top of the same 80+ threshold — it ranks every app that has earned a valid badge, so you can see how your score stacks up against other shipped apps.

Getting Your Score

The score comes from a real scan, not a self-report. Paste your deployed URL, Vezraa runs the full check suite in about 25 seconds, and you get the score along with every finding that fed into it — plus a paste-ready fix prompt for anything holding you back from 80.

Find out your score — scan your app in 25 seconds.

Scan Your App →

Related articles

What Is a Vezraa Trust Score? (And How to Earn the Badge) | Vezraa