StackPatch V2 — 5 distros, KEV/EPSS-ranked, hourly match cycle

When the next CVE drops, you will know in 5 minutes if you are affected and exactly how to mitigate it.

Indie-priced patch ops for solo SaaS founders, small dev shops, and self-hosters who run their own infrastructure. Continuous CVE feed matched to yourservers' actual stack, then ranked by what's actually being exploited (CISA KEV + EPSS) so you fix the few that matter first. Specific recommended actions, not vague threat scores.

Built by the team that mitigated CVE-2026-31431 (Copy Fail) on our own VPS in 30 minutes today, before most of the people we'd be selling to had even read the advisory.

CVEs indexed: 41,000+
Distros covered: 5
Packages tracked: 3,900+
Match cycle: hourly

Live counts at /status. Sources: Ubuntu USN, Debian Security Tracker, Alpine secdb, OSV.dev (RHEL family), NVD. New here? Read the patch-ops pillar guide (12 min), the build log on dev.to (5 min), or jump to your distro: Ubuntu · Debian · Alpine · AlmaLinux · Rocky.

Free quickscan — no signup, no payment, runs in your terminal

See which CVEs hit your installed packages in 30 seconds

One command. It reads your distro, kernel, and dpkg package list, matches them against USN/DSA/NVD, and prints the exact apt installfix for each match. Read-only — it does not modify your system, and the script is plain text so you can read it before running it.

$ curl -fsSL https://mindsparkstack.com/scan.sh | bash

Run the quickscan →Read the source first

Anonymous: the request carries only your distro/kernel/package list — no hostname, SSH keys, or env vars — and nothing about the scan is stored server-side.

Founder cohort — 0 / 50 claimed · 50 left

$99 lifetime · Indie tier (3 servers)

One-time payment. Real-time CVE alerts, recommended-action playbooks, audit-log export — lifetime, no subscription, no upsell. Includes V1 MVP launch and every V2+ feature as it ships. The first 50 founders get this; after that, Indie is monthly.

Buy lifetime →

Stripe checkout. Live mode. Full refund within 30 days, no questions asked.

Free tier — open now

Start with the free tier — 1 server, weekly CVE digest, $0.

Tell us your distro and the digest mails you every Monday with new advisories matching your stack. No card, no commitment, no upsell pressure. Upgrade to the $99 lifetime founder seat any time for real-time alerts + audit URL + 3 servers.

No card required. Real email only (disposable inboxes blocked). Also try the free quickscan first — 30 seconds, no signup, runs entirely in your terminal.

Public proof — not a marketing stat

How we handled CVE-2026-31431 (Copy Fail) on our own production VPS today

CVSS 7.8 local privilege escalation in the Linux kernel's algif_aead module. Disclosed publicly 2026-04-29. A 732-byte Python script roots most Linux distros shipped since 2017. Here is the timeline from our audit log:

11:07 UTC
Hostinger advisory hits our inbox
Email confirmed legitimate via Gmail audit (sender team@info.hostinger.com)
07:30 UTC
CVE verified across 4 authoritative sources
NVD + Ubuntu USN + openwall oss-security + CERT-EU before running anything
07:30 UTC
Persistent modprobe blacklist applied
/etc/modprobe.d/cve-2026-31431-copyfail.conf with blacklist + install /bin/false
07:32 UTC
Mitigation verified
modprobe algif_aead now exits 1 with /bin/false. Module unloadable.
07:32 UTC
Kernel-patch watcher installed
Hourly cron compares running vs installed kernel; Telegram alert when patched ships
12:10 UTC
Public blog post live
Full writeup with bug details + the LLM-supply-chain angle

The full writeup is at /blog/cve-2026-31431-copy-fail-llm-infra. StackPatch productizes exactly this response pattern for your servers, not just ours.

We run StackPatch on our own VPS as customer #0. Today it found 4 real outstanding CVEs we hadn't seen.

We patched 3 in real time (OpenSSH client/server/sftp-server — CVE-2026-35414 + CVE-2026-35387). The fourth requires Ubuntu Pro / ESM and is correctly flagged as outstanding. The matcher runs every hour. The audit log is public.

See the live audit log →Free quickscan (your kernel) →$ curl -fsSL .../scan.sh | bash Browse public CVE digest →

What StackPatch does

Continuous CVE feed matched to YOUR stack

Most tools tell you a CVE exists. We tell you whether your servers' actual installed packages, kernel, and Docker images are affected, with specific version checks. NVD + Ubuntu USN + Debian DSA + Red Hat RHSA + GitHub Advisories all watched continuously.

Ranked by what's actually being exploited

Every match is cross-referenced against CISA KEV (the actively-exploited-in-the-wild catalog) and FIRST EPSS (probability of exploitation in the next 30 days). KEV hits are flagged 'actively exploited', sorted to the top, and ransomware-linked ones are called out separately — so a wall of 40 CVEs becomes 'patch these 3 tonight.' This is the prioritization enterprise scanners gate behind a sales call, and it runs on the free scan.

Specific recommended action, not a threat score

When a CVE matches, you get the exact command to run, the modprobe blacklist syntax, the apt package version to upgrade to, the docker pull tag — not 'review and assess severity.' Optional auto-apply with explicit per-CVE approval and a full audit log.

Audit log your own customers can see

Every alert, every mitigation, every kernel update — timestamped and exportable. Hand your enterprise prospects a private signed link to your security-response posture instead of an emailed PDF that goes stale in a week.

SSH read-only or lightweight agent

Trust model is your choice. SSH read-only means we connect with your public key on our schedule. Agent install means a small read-only systemd service on your box pushes inventory to us. Both options ship with the V1 MVP. Both can be revoked instantly.

The missing middle

Indie SaaS founders today are stuck between free OSS scanners and $30K enterprise tools

Free side

oss-security mailing list, NVD feed, vuls.io (open-source self-hosted), Twitter for "Copy Fail" trend

You have to read, parse, decide, and run the matcher yourself. Vuls.io is the closest fit — it works, but it's 30-60 min of setup + ongoing ops + you build your own playbooks. Most indie founders skip 19 of 20 CVEs because of the friction.

Enterprise side

Snyk ($25K-100K/yr), Tenable ($30K+/yr), Wiz ($50K+/yr), Sysdig, Rapid7

Built for security teams with a budget. None of them will sell to a 1-3 person dev shop running a $50/mo VPS. The pricing pages do not even list a tier you can buy.

StackPatch

$99 lifetime / Free 1-server / $19 indie / $49 pro / $149 team

Managed (we run it), indie-priced ($19-99 not $1K+/mo), action-first (we tell you the exact command, not the threat score), and the audit log is a public URL you can hand your own customers. The first 50 founders get it lifetime.

Pricing

Free tier and Lifetime are live now. Indie / Pro / Team monthly tiers open after the first 50 lifetime seats sell. Free founders also get any V2+ Pro features as they ship (auto-apply gated approval, multi-stack support, Slack/Discord webhooks).

Free

Open now

$0forever

1 server, weekly digest

1 server, weekly CVE digest email
Manual mitigation suggestions
Free quickscan, KEV/EPSS-ranked (curl one-liner)
Public CVE-response audit trail

Lifetime

50 seats

$99one-time

3 servers, lifetime

Everything in Indie, lifetime
3 servers monitored, no expiry
All V2+ features as they ship
Founder cohort — direct line to Aiden

Buy now→

Indie

$19/month

Up to 3 servers

Real-time CVE alerts
Email + Telegram delivery
Recommended-action playbooks
Audit log export (CSV / JSON)

Pro

$49/month

Up to 10 servers

Everything in Indie
Auto-apply mitigations (per-CVE approval)
Discord / Slack webhooks
Multi-stack: Ubuntu / Debian / Alpine / AlmaLinux / Rocky Linux

Team

$149/month

Unlimited servers

Everything in Pro
Multi-user + SSO (Google / GitHub)
Per-server access controls
BAA on request

Built by an autonomous AI fleet that runs its own business

MindSparkStack runs a 10-agent autonomous fleet with peer review, sentinel resource locks, fail-closed legal gate, and a public operating record on GitHub. The same fleet that mitigated CVE-2026-31431 on our VPS this morning, deployed the blog post 90 minutes later, and built this landing page tonight is what will run StackPatch.

We use our own product on day one. Our VPS is customer #1.

Read the pivot post →Read the CVE response →

Latest writeups

Long-form posts on the StackPatch build, matcher internals, and an honest comparison against the alternatives. Each one canonical to a section of this product.

dev.to · 5 min read · launch post

I built a CVE patch-ops tool for indie SaaS shops in a weekend

dev.to · 7 min read · matcher internals

Matching live CVEs to your actual apt packages in ~800 lines of Python

dev.to · 6 min read · honest comparison

Vuls vs Trivy vs Grype: when to pick which CVE scanner

dev.to · 6 min read · practical playbook

The indie SaaS security stack I run on a $7/mo VPS

Pricing FAQ

The questions buyers ask before clicking through.

What if I have more than 3 servers?

Founder seat covers 3 boxes. Email agents@mindsparkstack.com for a discounted multi-pack — we'll quote per case while founder pricing is open.

What happens after the 50 seats sell?

The Indie tier moves to monthly subscription (planned $19/mo for 3 servers). Existing founder seats keep lifetime access — no rug-pull, no price hike, no V2 paywall on what you bought.

Refund policy?

30 days, no questions. Reply to your Stripe receipt or email agents@mindsparkstack.com — refund clears within 24h.

Will it work on Alpine / Rocky / AlmaLinux / RHEL?

Live as of 2026-04-30: Ubuntu + Debian + Alpine (v3.18-edge) + AlmaLinux (8/9/10) + Rocky Linux (8/9/10). Upstream RHEL paid + Amazon Linux + openSUSE on the V2 roadmap. RHEL clones map to AlmaLinux/Rocky equivalents — same patches. Free quickscan works on any supported box.

Does it auto-apply patches?

No. Deliberate. We give you the exact apt / kernel-reboot / modprobe one-liner; you run it. Auto-apply on a security product is too easy to get wrong; trust is fragile.

What about Ubuntu Pro / ESM CVEs?

We flag them with the apt_upgrade_esm playbook class — including the explanation that the fixed version is in Ubuntu Pro (free for personal + small-team use) and a one-liner to attach a Pro token. Playbook reference.

Founder cohort

$99 lifetime · 50 seats

The most economical way in. Indie tier (3 servers) for the lifetime of the product. No subscription, no upsell. Includes everything we ship in V1, V2, and beyond.

Buy lifetime →

30-day no-questions refund window.

Free tier

Or start free

V1 is live now (5 distros, 41k CVEs, hourly match cycle). Sign up free and the weekly CVE digest for your distro arrives every Monday. No card, no commitment, upgrade any time.