Vezraa Production Readiness Framework (VPRF)
The VPRF is the standard for evaluating whether software is actually ready for production. 150 checks across 16 categories, each with a clear severity level and remediation path.
What Is the VPRF
The Vezraa Production Readiness Framework (VPRF) is a comprehensive evaluation methodology designed to answer one question: is this software ready to serve real users in production? Unlike traditional security scanners that only check for CVEs and known vulnerabilities, the VPRF evaluates the full surface area of a modern web application — from security headers and HTTPS configuration to email authentication, payment webhook verification, AI safety guardrails, and SEO fundamentals.
The framework was developed by analyzing thousands of production failures, breach reports, and launch post-mortems across SaaS companies of all sizes. It codifies the checks that senior engineers perform intuitively into a repeatable, automated assessment with 150 discrete checks.
The 16 Categories
- Security — TLS configuration, security headers (CSP, HSTS, X-Frame-Options), exposed secrets in source code, API key leakage, CORS misconfiguration
- Performance — Core Web Vitals (LCP, INP, CLS), Time to First Byte, bundle size analysis, caching headers, CDN configuration
- Observability — Error tracking setup, structured logging, console PII leaks, application monitoring coverage, alerting configuration
- Payments — Webhook signature verification, idempotency key usage, exposed API keys in client-side code, PCI compliance posture
- SEO — Meta tags, Open Graph protocol, canonical URLs, sitemap presence, robots.txt, structured data (JSON-LD)
- Accessibility — WCAG 2.1 compliance, keyboard navigation, screen reader compatibility, color contrast, focus management
- AI Safety — Prompt injection guards, rate limiting on LLM endpoints, token spending limits, output validation, cost controls
- Email — SPF record, DKIM signing, DMARC policy, MX record validity, email forwarding security
- Legal — Privacy policy presence, terms of service, cookie consent mechanism, GDPR/CCPA compliance signals, contact page
- Infrastructure — Debug mode disabled, stack traces hidden, mixed content prevention, proper 404 handling, HTTP/2 support
- Breach History — Domain breach records, credential exposure checks, email compromise history, paste site monitoring
- Supply Chain — Dependency vulnerabilities, lockfile analysis, outdated packages, malicious package detection
- Authentication — Session management, OAuth configuration, MFA support, password policies, brute force protection
- API Design — Rate limiting, proper HTTP methods, consistent error responses, API versioning, authentication scheme
- Mobile Readiness — Responsive design, touch targets, viewport configuration, mobile-specific security
- Documentation — API docs availability, setup guides, changelog, security policy, support channels
Severity Levels (P0 / P1 / P2)
Every VPRF check is classified into one of three severity levels that determine remediation priority:
- P0 — Critical (Blocking) — These checks must pass before any production deployment. Examples: exposed database credentials, missing HTTPS enforcement, unverified payment webhooks, authentication bypass. A single P0 failure means the application is not production ready.
- P1 — High (Must Fix) — These issues must be resolved within one sprint or 30 days. Examples: missing CSP headers, CORS allowing all origins, no error tracking, poor Core Web Vitals. P1 failures indicate significant risk that should be addressed before scaling.
- P2 — Medium (Should Fix) — These items represent best practices and polish. Examples: missing Open Graph tags, no sitemap, low contrast text, missing alt text. P2 failures don't block deployment but erode trust and discoverability over time.
Approval Workflow
The VPRF follows a structured approval workflow designed to integrate into existing development processes:
- Trigger — The VPRF runs automatically when a new scan is initiated, as part of a CI/CD pipeline, or on a scheduled basis for continuous monitoring
- Assessment — All 150 checks execute across all 16 categories. Each check produces a pass/fail/not-applicable result with evidence
- Scoring — Results are aggregated into a production readiness score (0–100). Each category is weighted, and P0 failures cap the maximum possible score
- Review — Findings are presented in a prioritized list with reproduction steps, impact analysis, and fix guidance
- Remediation — Each finding includes a ready-to-use fix suggested implementation. P0 items include a one-click copy remediation prompt
- Re-assessment — After fixes are applied, a re-scan validates that the issues are resolved and no new issues were introduced
How Vezraa Scores Production Readiness
The production readiness score is a weighted composite of all 16 categories. Each category starts at 100 points and deductions are applied based on failed checks and their severity. P0 failures incur the heaviest penalty and also impose a score ceiling — if any P0 check fails, the overall score cannot exceed 70 regardless of passing checks in other categories. This ensures that critical security gaps cannot be hidden by good performance in other areas.
Category weights reflect real-world impact: Security carries the highest weight at 25%, followed by Performance (15%), Payments (10%), SEO (10%), Observability (8%), AI Safety (8%), Accessibility (7%), Email (6%), Legal (6%), Infrastructure (5%), and the remaining categories at lower weights. Categories that don't apply to a given application are excluded from the weighted average, so a static site without payments or AI features isn't penalized for those categories.
Every scan runs the full VPRF automatically.
Scan Your App Now →