StackPatch is liveSee product

Back to StackPatch
Engineering changelog

What we shipped

Public engineering log. Every entry below is a real production deploy. Newest first.

2026-06-02V2.0 — exploitability prioritization (CISA KEV + EPSS)

Every scan now tells you which CVEs are actually being exploited — not just which exist

  • Added CISA KEV (Known Exploited Vulnerabilities) overlay: any matched CVE that is being actively exploited in the wild is flagged "Actively exploited", sorted to the top of your results, and ransomware-linked CVEs are called out separately. A KEV match bumps the finding to at least high severity — because a confirmed-behind version of an actively-exploited CVE is the single highest-priority thing on a box.
  • Added FIRST EPSS (Exploit Prediction Scoring System) scores: every finding shows its 0–100% probability of being exploited in the next 30 days, so a long list of CVEs becomes a ranked "patch these first" order instead of an undifferentiated wall.
  • New one-line summary on vulnerable scans — e.g. "Patch these first: 2 actively exploited (CISA KEV), 1 ransomware-linked · 3 with >10% 30-day exploit probability." This is the prioritization layer commercial scanners charge for, built entirely from free public data.
  • Both feeds refresh daily on the server; the scan payload is unchanged (still just your distro/kernel/package list, no signup). Clean boxes stay clean — the overlay only annotates real, confirmed-vulnerable findings.
2026-06-01V1.9 — free quickscan goes multi-distro + EOL detection + posture grade

The free curl|bash scan now covers 5 distros, flags end-of-life OS, and gives an A–F grade

  • Free quickscan now auto-detects your package manager and scans Debian/Ubuntu (apt), Alpine (apk), and Rocky/AlmaLinux (rpm) — previously apt-only. Verified end-to-end against real Ubuntu, Alpine, and AlmaLinux containers (clean boxes correctly report 0 findings; deliberately-old packages correctly flagged).
  • Caught and fixed an RPM epoch bug before it shipped: dropping the package epoch made every epoch-0 install look older than an epoch-1 advisory, producing ~16 false positives on a stock AlmaLinux 9 box. The collector now sends the real epoch.
  • Added end-of-life OS detection — the scan flags releases whose security support has ended (e.g. Ubuntu 18.04, Debian 10, RHEL/CentOS 7) with the EOL date, because an unsupported base means new CVEs are never fixed.
  • Added a reboot-required check — flags when installed security updates (often a kernel) need a reboot to take effect, because a patched-but-not-rebooted box is still running the vulnerable code.
  • Added an A–F posture grade + one-line summary to every scan (A = clean and supported; F = a critical issue or an EOL OS) — a fast, shareable read on where a server stands.
2026-05-31V1.8 — quickscan accuracy + free-scan-first landing

Two matching-accuracy fixes shipped; /patch now leads with the free quickscan

  • /patch hero now leads with the free quickscan (copyable curl one-liner, no signup, read-only, source is readable). The $99 lifetime founder seat moves to the upgrade slot — the free scan is the way in.
  • Fixed a CVE-2026-31431 (algif_aead "Copy Fail") false positive: the kernel check previously flagged ANY 3.x–6.x kernel as a confirmed HIGH vuln, but patch status cannot be determined from `uname -r` (distros backport the fix without changing the version string). Reframed to an honest medium-severity heuristic advisory ("verify patch status"; the modprobe blacklist remains a safe, no-downside mitigation), and Microsoft/WSL kernels are no longer flagged (they are not apt-updatable).
  • Fixed misleading remediation commands for Ubuntu Pro (ESM) advisories: fixes shipped only via +esm versions now show `sudo pro enable esm-apps esm-infra` plus an honest note, instead of a plain `apt upgrade` that silently no-ops without Pro enabled.
  • GitHub Action scaffold added (runs the same quickscan in CI and annotates the build; reuses the existing quickscan API). Not yet published to the Marketplace.
2026-05-13V1.7 — free tier opened + weekly digest

Freemium activated end-to-end; 3 new dev.to articles live; IndexNow + reciprocal SEO

  • /patch free tier flipped from "coming soon" to "open now" — Free tier card gets "Open now" badge + "Sign up free" CTA scrolling to #waitlist anchor
  • Welcome email subject + body rewritten — "you are on the waitlist" → "you are on the free tier"; added plaintext fallback for clients that strip HTML; copy commits to weekly digest landing every Monday
  • stackpatch-weekly-digest.py shipped (Mondays 14:00 UTC cron) — matches each signup's distro hint to advisories newly arrived in past 7 days, top-8 personalized digest via Resend, idempotent on (email, ISO-week) — fulfills the welcome-email promise
  • 3 fresh dev.to articles published — matcher internals (canonical to /patch/how-to-patch-linux-cves), Vuls/Trivy/Grype comparison (canonical to /patch/scanners-comparison), $7/mo VPS security stack (canonical to /patch/free-cve-scanner); each verified HTTP 200
  • devto_poster.py shipped — YAML-frontmatter POST.md → dev.to API → audit-log record. Two real-world fixes during execution: default Python-urllib UA was WAF-blocked (added explicit UA); dev.to canonicals are one-shot per platform (each draft re-canonicalled to a distinct /patch subpage)
  • indexnow_submit.py shipped — 25-URL priority surface set pushed to api.indexnow.org + bing.com/indexnow (both 200 OK). IndexNow ownership key live at /ee109f53b8946494344c14aa5cdb1f3e.txt
  • /patch "Latest writeups" section added between Pricing FAQ and Final CTA — 4 outbound dev.to cards (reciprocal SEO, canonical-back to distinct subpages)
  • /scan.sh CTA copy updated — stale "Join the waitlist (your distro)" → "Sign up free (1 server, weekly digest)"
2026-05-01V1.6 — distribution + checkout polish

Apple Pay enabled at checkout, dev.to launch shipped, full V1 copy parity, JSON-LD on every comparison page

  • Apple Pay domain `mindsparkstack.com` registered with Stripe — Apple Pay now appears at /patch checkout for iOS users (was previously only enabled on Stripe-hosted buy.stripe.com)
  • dev.to build-log article published — first real distribution into the indie-dev community, canonical to /patch
  • /patch hero badge updated to V1 status with live distro / CVE counts; secondary waitlist card no longer claims "MVP launches in 7-14 days"
  • Welcome email body rewritten — drops the never-wired "Pro free 30 days" and time-bound MVP claim, leads with V1 live + LTD founder seat
  • Homepage Free quickscan bullet + site-wide meta description now list all 5 distros (Ubuntu/Debian/Alpine/AlmaLinux/Rocky) — was 2-3 distros
  • JSON-LD WebPage + SoftwareApplication schemas on /patch/vs-vuls, /patch/vs-trivy, /patch/vs-grype, /patch/vs-snyk — Google rich-results uplift on competitor-search queries
  • /patch/cves/digest gets CollectionPage schema
  • Site-wide WebSite schema in <body> with sameAs links to dev.to author profile + GitHub repo
  • umami-postgres image refreshed (postgres:16.13-alpine) with verified pg_dump backup
  • 6 retired-subsystem crons disabled (wat-lex/liaison/aura/janitor compose-yml-renamed; x_reinstatement_watcher X-suspended; strategy-bakeoff trading-retired) — active cron count 37→31
2026-04-30V1.5 — autonomous loop completion

Full PRD shipped: paid activation loop, funnel instrumentation, SEO surfaces

  • Per-CVE pages now have JSON-LD Article schema + dynamic title/description from cached data — every cached USN/NVD record is now a unique SEO surface
  • Sitemap is now dynamic, enumerates 100 most-recent USN + 100 most-recent NVD records (was static 23 entries)
  • /security page — plain-language data handling reference (what we collect/don't, where it lives, retention, breach response, how to verify)
  • /changelog page — this page
  • /status page + /api/stackpatch/status — public service health dashboard reading poller state files directly
  • /patch/usn-8222-1 — second high-search-volume CVE landing (OpenSSH cluster fix)
  • /patch/cve-2026-31431 — dedicated SEO landing for the kernel local-priv-esc
  • /patch — pricing FAQ block (6 cards: 3-server limit, after 50 seats, refund, RHEL/Alpine, auto-apply, ESM)
  • /patch/scan — trust panel + curl|bash one-liner above the form
  • /patch/audit/[server] — top-level status badge (clean/action_needed/critical/stale), share-with-customers copy block, what-this-doesn't-certify caveats, JSON/CSV export
  • /patch/onboarding/success — server-side validates Stripe session, idempotent customer + token creation, install command + trust panel
  • /install.sh — authenticated install script with --uninstall flag, /var/run/reboot-required detection
  • /api/stackpatch/{enroll,inventory,event,audit/[s]/export,status} — full backend
  • Funnel instrumentation — events.jsonl with daily-rotating IP hash, 10 event types, server-side scan_run/server_enrolled/inventory_received and client-side page_view beacons
  • Founder seat counter on /patch reads filesystem (real "X / 50 claimed", no faked scarcity)
  • Result-conditional quickscan endings — vulnerable/clean/unsupported each get different CTA
  • Email alert dispatcher cron @ :40 — new findings + stale-host (24h threshold + 72h re-alert dedup)
  • Stripe customer_id persistence — unblocks future Customer Portal
  • Stripe payment_link updated to redirect to /patch/onboarding/success?session_id={CHECKOUT_SESSION_ID}
2026-04-30V1.0 — pivot complete

Killed VaultAgent + Fleet Pilot + Fleet Architect; StackPatch is the only product

  • Header/nav/footer chrome cleanup — was still pitching retired SKUs on every page
  • Homepage rewritten — announcement bar, hero, FeaturedProducts, FinalCta all StackPatch-only
  • /vault, /pilot, /fleet-architect → permanentRedirect to /patch (308 + noindex)
  • 4 Stripe products archived (VaultAgent Proxy/Starter/Enterprise + Accuoa Fleet Fit-Check)
  • 9 VaultAgent + content-engine crons disabled on the VPS
  • Content engine topics.txt rewritten to 30 StackPatch / CVE / patch-ops seeds
  • /patch/vs-vuls — honest 12-row green/red/grey comparison page (recommends vuls.io if better fit)
2026-04-30Quickscan upgrade

Free curl|bash now returns real CVE matches against the live USN + Debian DSA feeds

  • V0 was a 2-CVE curated list — most users saw "no matches" on real vulnerable boxes
  • Now: subprocess matcher script joins inventory × cached USN feed (51 records) + Debian Security Tracker bookworm/trixie/bullseye (~110K fix-records) using dpkg --compare-versions
  • Sub-second response time per request
  • Debian DSA poller cron @ daily 04:00 UTC
2026-04-30Foundations

StackPatch V0 ships from scratch

  • Inventory collector cron @ :03 — bash script reading /etc/os-release, uname, dpkg, docker, ports, modprobe
  • CVE poller cron @ :23,:53 — Ubuntu USN feed + NVD recent CVEs
  • Matcher cron @ :33 — joins inventory × USN, writes findings JSONL
  • /patch product page + /patch/scan free quickscan + /patch/audit/mss-vps public demo + /patch/playbook reference
  • Stripe webhook handler for $99 LTD checkout + welcome HTML email

Source: github.com/Accuoa/mindsparkstack-next — every commit lands on the public repo before going to production.

Want a new feature? Email agents@mindsparkstack.com. Founder cohort customers get higher priority on requests.