Skip to content

Changelog

What we ship, when we ship it. Updated weekly.

v0.5May 25, 2026

security.txt generator + full legal trust center

  • ·New /tools/security-txt — free RFC 9116 vulnerability disclosure file generator with live preview, validation, copy & download
  • ·/security trust center: production controls, compliance status, coordinated disclosure policy, hall of fame
  • ·Eight new legal pages: Privacy Policy, Terms of Service, Cookie Policy, Acceptable Use, Disclaimer, DPA, Subprocessors, Contact
  • ·DPA auto-applies to every paid customer with full SCC + UK Addendum + DPDP coverage and TOM annex
  • ·Aligned /.well-known/security.txt with the published security policy (acknowledge in 2 business days, fix critical in 30 days)
v0.4.1May 25, 2026

Pricing flow + dashboard polish

  • ·New /pricing page with smart per-user CTAs: logged-out → login & resume; on free → Razorpay checkout; on paid → manage subscription
  • ·Login flow now honors a redirect parameter so /pricing → /login → checkout works end-to-end
  • ·Dashboard sidebar plan label is dynamic (no more hardcoded "Free")
  • ·Dashboard plan card switches between "Upgrade plan" (free users) and "Manage subscription" (paid users) via Razorpay portal
  • ·Open-redirect protection on every auth callback (sanitizeRedirect helper)
v0.4May 16, 2026

Auto-fix PRs for security headers, Razorpay webhooks, and rate limits

  • ·Auto-fix engine generates real code-changing GitHub PRs (not just fix briefs)
  • ·Fixes for: missing CSP/HSTS, Razorpay webhook signature verification, auth rate limiting, robots.txt, privacy policy
  • ·Available on Pro and Max plans — confidence scoring per fix type
  • ·Fix briefs still available for findings without auto-fix
v0.3May 15, 2026

Live Attack Replay — industry first

  • ·Every critical finding ships with a working proof-of-exploit (curl + response)
  • ·Replay button animates the attack succeeding against your own URL
  • ·13 attack vectors with replay support: JWT alg:none, Razorpay webhook forgery, mass assignment, GraphQL introspection, subdomain takeover, CORS reflection, more
  • ·Live feed on landing page shows real findings as they happen
v0.2May 15, 2026

Rebrand to Vezraa

  • ·VibeAudit is now Vezraa — same product, sharper name
  • ·Live at vezraa.com
  • ·MCP package @vibeaudit/mcp continues to work (backward compatible)
  • ·New domain, new OG image, new brand colors (indigo + red accent)
v0.1.5May 14, 2026

MCP server published on npm

  • ·@vibeaudit/mcp@1.0.2 live on npm — works in Claude Code, Cursor, Windsurf, Claude Desktop
  • ·5 tools exposed: scan, check_headers, check_dns, check_rls, get_report
  • ·API key generation in dashboard with one-click MCP config snippets per tool
  • ·Bring-your-own-key mode for power users
v0.1.4May 14, 2026

Subscription pricing — Starter / Pro / Max

  • ·Starter $9/mo, Pro $19/mo, Max $39/mo — 30% off annual
  • ·Free standalone tools remain available — header checker, DNS checker, RLS tester
  • ·Razorpay checkout flow wired end-to-end with subscription mode
  • ·Pricing modal on report page when free user tries to view locked findings
v0.1.3May 13, 2026

Parallel scanner — 30 second results

  • ·All 17 scan categories now run in parallel via Promise.allSettled
  • ·Average scan time dropped from ~140s to ~28s
  • ·Animated progress UI shows real-time scan activity
  • ·PageSpeed timeout reduced from 45s to 20s
v0.1.2May 12, 2026

Security hardening of our own app

  • ·Added full CSP, HSTS, X-Frame-Options, Permissions-Policy, COOP, CORP
  • ·Sentry integrated for error tracking (server, client, edge)
  • ·Free plan paywall enforced server-side, not just in UI
  • ·Score jumped from 50 to 90+ on our own scanner
v0.1.1May 10, 2026

Domain verification — 4 methods

  • ·DNS TXT record verification
  • ·HTML file verification at .well-known/
  • ·Meta tag verification
  • ·Ask AI — generates a paste-ready prompt for Cursor/Claude to add the verification
v0.1May 8, 2026

Initial release

  • ·2,100 checks, 90+ categories
  • ·Active pentest probes: JWT, CORS, webhook forgery, mass assignment, GraphQL, subdomain takeover
  • ·Read-only scanner — no destructive operations
  • ·AI-generated fix prompts for every finding

Want updates in your inbox?

Run your first scan →
Changelog | Vezraa