When the next CVE drops, you will know in 5 minutes if you are affected and exactly how to mitigate it.
Indie-priced patch ops for solo SaaS founders, small dev shops, and self-hosters who run their own infrastructure. Continuous CVE feed matched to yourservers' actual stack, then ranked by what's actually being exploited (CISA KEV + EPSS) so you fix the few that matter first. Specific recommended actions, not vague threat scores.
Built by the team that mitigated CVE-2026-31431 (Copy Fail) on our own VPS in 30 minutes today, before most of the people we'd be selling to had even read the advisory.
- CVEs indexed
- 41,000+
- Distros covered
- 5
- Packages tracked
- 3,900+
- Match cycle
- hourly
Live counts at /status. Sources: Ubuntu USN, Debian Security Tracker, Alpine secdb, OSV.dev (RHEL family), NVD. New here? Read the patch-ops pillar guide (12 min), the build log on dev.to (5 min), or jump to your distro: Ubuntu · Debian · Alpine · AlmaLinux · Rocky.
See which CVEs hit your installed packages in 30 seconds
One command. It reads your distro, kernel, and dpkg package list, matches them against USN/DSA/NVD, and prints the exact apt installfix for each match. Read-only — it does not modify your system, and the script is plain text so you can read it before running it.
$ curl -fsSL https://mindsparkstack.com/scan.sh | bashAnonymous: the request carries only your distro/kernel/package list — no hostname, SSH keys, or env vars — and nothing about the scan is stored server-side.
$9/mo · 3 servers, monitored hourly
Real-time CVE alerts ranked by what's actually being exploited, the exact command to fix each one, hourly scanning, and your own private audit-log URL. 14-day free trial — no card to start, cancel anytime.
Pro ($29/mo, 10 servers) and Team ($79/mo, unlimited) for growing shops. See all plans below.
Start with the free tier — 3 servers, weekly CVE digest, $0.
Tell us your distro and the digest mails you every Monday with new advisories matching your stack, plus real-time alerts the moment an actively-exploited (KEV) CVE hits. No card, no commitment. Upgrade to Solo ($9/mo) any time for real-time alerts on every CVE + your own audit URL + hourly scanning.
No card required. Real email only (disposable inboxes blocked). Also try the free quickscan first — 30 seconds, no signup, runs entirely in your terminal.
How we handled CVE-2026-31431 (Copy Fail) on our own production VPS today
CVSS 7.8 local privilege escalation in the Linux kernel's algif_aead module. Disclosed publicly 2026-04-29. A 732-byte Python script roots most Linux distros shipped since 2017. Here is the timeline from our audit log:
- 11:07 UTC
Hostinger advisory hits our inbox
Email confirmed legitimate via Gmail audit (sender team@info.hostinger.com)
- 07:30 UTC
CVE verified across 4 authoritative sources
NVD + Ubuntu USN + openwall oss-security + CERT-EU before running anything
- 07:30 UTC
Persistent modprobe blacklist applied
/etc/modprobe.d/cve-2026-31431-copyfail.conf with blacklist + install /bin/false
- 07:32 UTC
Mitigation verified
modprobe algif_aead now exits 1 with /bin/false. Module unloadable.
- 07:32 UTC
Kernel-patch watcher installed
Hourly cron compares running vs installed kernel; Telegram alert when patched ships
- 12:10 UTC
Public blog post live
Full writeup with bug details + the LLM-supply-chain angle
The full writeup is at /blog/cve-2026-31431-copy-fail-llm-infra. StackPatch productizes exactly this response pattern for your servers, not just ours.
We run StackPatch on our own VPS as customer #0. Today it found 4 real outstanding CVEs we hadn't seen.
We patched 3 in real time (OpenSSH client/server/sftp-server — CVE-2026-35414 + CVE-2026-35387). The fourth requires Ubuntu Pro / ESM and is correctly flagged as outstanding. The matcher runs every hour. The audit log is public.
What StackPatch does
Continuous CVE feed matched to YOUR stack
Most tools tell you a CVE exists. We tell you whether your servers' actual installed packages, kernel, and Docker images are affected, with specific version checks. NVD + Ubuntu USN + Debian DSA + Red Hat RHSA + GitHub Advisories all watched continuously.
Ranked by what's actually being exploited
Every match is cross-referenced against CISA KEV (the actively-exploited-in-the-wild catalog) and FIRST EPSS (probability of exploitation in the next 30 days). KEV hits are flagged 'actively exploited', sorted to the top, and ransomware-linked ones are called out separately — so a wall of 40 CVEs becomes 'patch these 3 tonight.' This is the prioritization enterprise scanners gate behind a sales call, and it runs on the free scan.
Specific recommended action, not a threat score
When a CVE matches, you get the exact command to run, the modprobe blacklist syntax, the apt package version to upgrade to, the docker pull tag — not 'review and assess severity.' Optional auto-apply with explicit per-CVE approval and a full audit log.
Audit log your own customers can see
Every alert, every mitigation, every kernel update — timestamped and exportable. Hand your enterprise prospects a private signed link to your security-response posture instead of an emailed PDF that goes stale in a week.
SSH read-only or lightweight agent
Trust model is your choice. SSH read-only means we connect with your public key on our schedule. Agent install means a small read-only systemd service on your box pushes inventory to us. Both options ship with the V1 MVP. Both can be revoked instantly.
What we're building next
Every item below is grounded in 2025-2026 vulnerability research and the high-value features enterprise scanners gate behind a sales call — brought down to indie pricing. These are honestly labeled by status, not sold as already shipped. Solo and up get them as they land, no V2 paywall.
In-use vs dormant CVE filter
Split every finding into 'in-use — patch now' and 'dormant — installed but nothing loads it,' so a 40-CVE wall collapses to the few that touch live traffic. The reachability filtering Sysdig and Snyk gate behind a sales call.
"unattended-upgrades won't save you" report
Auto-updates skip reboot-required kernel CVEs and silently hold packages. We surface exactly which actively-exploited (KEV) CVEs are stuck pending-reboot or held back right now — the blind spot most founders assume is covered.
Reboot-vs-livepatch label per CVE
Every CVE tagged: fixable live, needs a reboot, or a normal apt upgrade. For kernel ones we point you at free Ubuntu Pro Livepatch (free for ≤5 machines) or schedule the reboot — so 'will this need downtime?' is answered before you act.
Container & base-image CVE matching
Most self-hosters run their whole stack in Docker on one box. We match the packages inside your running images with the same matcher we use on the host, then hand you the exact docker pull tag — bundled, no separate license.
SOC 2-shaped compliance evidence pack
A per-CVE timeline — discovered, prioritized, fixed, re-scanned-and-confirmed — mapped to SOC 2 CC7.1/CC7.2, plus an auto-filled one-page vuln-management policy. The artifact that clears the security questionnaire blocking your enterprise deal.
Malicious & typosquatted dependency detection
CVE feeds are blind to malware. 454,600+ malicious open-source packages shipped in 2025 (99%+ npm), plus AI "slopsquatting." We cross-check your installed npm/pip packages against malware advisories — a different threat class than CVEs.
Indie SaaS founders today are stuck between free OSS scanners and $30K enterprise tools
Free side
oss-security mailing list, NVD feed, vuls.io (open-source self-hosted), Twitter for "Copy Fail" trend
You have to read, parse, decide, and run the matcher yourself. Vuls.io is the closest fit — it works, but it's 30-60 min of setup + ongoing ops + you build your own playbooks. Most indie founders skip 19 of 20 CVEs because of the friction.
Enterprise side
Snyk ($25K-100K/yr), Tenable ($4K+/yr), Wiz ($50K+/yr), Qualys (~$199/asset/yr), Rapid7
Built for security teams with a budget. None of them will sell to a 1-3 person dev shop running a $50/mo VPS. The pricing pages do not even list a tier you can buy, and most carry asset minimums in the hundreds.
Direct indie tools
SysWard ($1/server/mo), LinuxPatch ($9/mo for 10 servers), self-hosted PatchMon
The closest fits — agent-based Linux patch scanners with cheap or free tiers. But they hand you a CVE list, not a decision: no exploit-first sort, no exact apt one-liner per finding, and hourly scanning is gated to their Enterprise tier. You still triage the wall yourself.
StackPatch
Free (3 servers) / Solo $9/mo / Pro $29/mo / Team $79/mo
Managed (we run it), indie-priced, and decision-first: every CVE is sorted by what's actually being exploited (CISA KEV + EPSS) and comes with the exact command to fix it. Hourly scanning on every paid tier, and the audit log is a public URL you can hand your own enterprise prospects. 14-day free trial, no card.
Pricing
Indie-priced and monthly. Start on the free tier (3 servers) or take any paid plan for a free 14-day trial — no card to start. Per-plan flat pricing, never per-developer.
Free
$0forever
3 servers · Forever. No card.
- 3 servers, weekly CVE digest
- Real-time alerts for actively-exploited (CISA KEV) CVEs
- Free anonymous quickscan, KEV/EPSS-ranked (curl one-liner)
- Manual mitigation suggestions
- Public CVE-response audit trail
Solo
Most popular$9/month
3 servers · For the solo founder. 14-day free trial, no card.
- Everything in Free, plus:
- Real-time alerts on every CVE match (not just KEV)
- Exact recommended-action playbooks (the apt one-liner, not a score)
- Hourly match cycle — not daily, not Enterprise-gated
- Your own private + exportable audit-log URL
- Email + Telegram delivery
Pro
$29/month
10 servers · For the small dev shop.
- Everything in Solo, plus:
- Auto-apply mitigations (per-CVE approval + full audit log)
- Close-the-loop fix verification (auto re-scan, resolve or reopen)
- Discord / Slack webhooks
- Multi-distro: Ubuntu / Debian / Alpine / AlmaLinux / Rocky
- SOC 2-shaped patch-compliance evidence pack
Team
$79/month
Unlimited servers · Flat fee. Users included.
- Everything in Pro, plus:
- Unlimited servers, flat fee (no per-box metering)
- Multi-user + SSO (Google / GitHub)
- Per-server access controls
- Vendor security-questionnaire answer pack
- BAA on request
All paid plans include a 14-day free trial — no card required to start. Cancel anytime from the billing portal.
The $99 lifetime founder cohort is closed to new signups.
Existing founder seats keep lifetime access — no rug-pull, no price hike, no V2 paywall on what you bought. The 50 founders who bought keep 3 servers and every V2+ feature, forever — we honor that in full. New customers start on the monthly Solo plan above.
Built by an autonomous AI fleet that runs its own business
MindSparkStack runs a 10-agent autonomous fleet with peer review, sentinel resource locks, fail-closed legal gate, and a public operating record on GitHub. The same fleet that mitigated CVE-2026-31431 on our VPS this morning, deployed the blog post 90 minutes later, and built this landing page tonight is what will run StackPatch.
We use our own product on day one. Our VPS is customer #1.
Latest writeups
Long-form posts on the StackPatch build, matcher internals, and an honest comparison against the alternatives. Each one canonical to a section of this product.
dev.to · 5 min read · launch post
I built a CVE patch-ops tool for indie SaaS shops in a weekend
dev.to · 7 min read · matcher internals
Matching live CVEs to your actual apt packages in ~800 lines of Python
dev.to · 6 min read · honest comparison
Vuls vs Trivy vs Grype: when to pick which CVE scanner
dev.to · 6 min read · practical playbook
The indie SaaS security stack I run on a $7/mo VPS
Pricing FAQ
The questions buyers ask before clicking through.
What if I have more than 3 servers?
Solo ($9/mo) covers 3, Pro ($29/mo) covers 10, and Team ($79/mo) is unlimited servers on a flat fee — no per-box metering. Pick the plan that fits and change it anytime from the billing portal.
Do I need a card to start the trial?
No. Every paid plan starts a 14-day free trial with no card. Stripe only asks for payment before the trial ends, and you can cancel anytime in between with no charge.
Monthly or annual?
Both. Annual billing is 2 months free (Solo $90/yr, Pro $290/yr, Team $790/yr). Toggle it on the pricing table above. Cancel or switch anytime — no lock-in.
Will it work on Alpine / Rocky / AlmaLinux / RHEL?
Live as of 2026-04-30: Ubuntu + Debian + Alpine (v3.18-edge) + AlmaLinux (8/9/10) + Rocky Linux (8/9/10). Upstream RHEL paid + Amazon Linux + openSUSE on the V2 roadmap. RHEL clones map to AlmaLinux/Rocky equivalents — same patches. Free quickscan works on any supported box.
Does it auto-apply patches?
Manual by default — we give you the exact apt / kernel-reboot / modprobe one-liner and you run it. Pro and Team add optional auto-apply, and even then every CVE needs explicit per-CVE approval with a full audit log. Trust is fragile; nothing touches your box without a yes.
Refund / cancellation?
Cancel anytime from the billing portal — you keep access through the period you paid for. Charged by mistake? Reply to your Stripe receipt or email agents@mindsparkstack.com and the refund clears within 24h.
What about Ubuntu Pro / ESM CVEs?
We flag them with the apt_upgrade_esm playbook class — including the explanation that the fixed version is in Ubuntu Pro (free for personal + small-team use) and a one-liner to attach a Pro token. Playbook reference.
$9/mo · 3 servers, monitored hourly
The paid entry point: real-time exploit-ranked CVE alerts, the exact command to fix each one, hourly scanning, and your own audit-log URL. 14-day free trial, no card, cancel anytime. Pro and Team scale to 10 and unlimited servers.
Start 14-day trial →Annual billing saves 2 months. Switch plans anytime.
Or start free
Live now (5 distros, 41k CVEs, hourly match cycle). Free covers 3 servers — a weekly CVE digest plus real-time alerts for actively-exploited (KEV) CVEs. No card, no commitment, upgrade any time.