StackPatch V1 — 5 distros, 41k CVEs, hourly match cycle

When the next CVE drops, you will know in 5 minutes if you are affected and exactly how to mitigate it.

Indie-priced patch ops for solo SaaS founders, small dev shops, and self-hosters who run their own infrastructure. Continuous CVE feed matched to yourservers' actual stack. Specific recommended actions, not vague threat scores.

Built by the team that mitigated CVE-2026-31431 (Copy Fail) on our own VPS in 30 minutes today, before most of the people we'd be selling to had even read the advisory.

CVEs indexed: 41,000+
Distros covered: 5
Packages tracked: 3,900+
Match cycle: hourly

Live counts at /status. Sources: Ubuntu USN, Debian Security Tracker, Alpine secdb, OSV.dev (RHEL family), NVD. New here? Read the patch-ops pillar guide (12 min), the build log on dev.to (5 min), or jump to your distro: Ubuntu · Debian · Alpine · AlmaLinux · Rocky.

Founder cohort — 0 / 50 claimed · 50 left

$99 lifetime · Indie tier (3 servers)

One-time payment. Real-time CVE alerts, recommended-action playbooks, audit-log export — lifetime, no subscription, no upsell. Includes V1 MVP launch and every V2+ feature as it ships. The first 50 founders get this; after that, Indie is monthly.

Buy lifetime →

Stripe checkout. Live mode. Full refund within 30 days, no questions asked.

Not ready to commit? Join the free waitlist.

V1 is already live on the $99 lifetime tier. Waitlist members get an email when the free 1-server + Indie monthly tiers open.

No card required. Real email only (disposable inboxes blocked).

Public proof — not a marketing stat

How we handled CVE-2026-31431 (Copy Fail) on our own production VPS today

CVSS 7.8 local privilege escalation in the Linux kernel's algif_aead module. Disclosed publicly 2026-04-29. A 732-byte Python script roots most Linux distros shipped since 2017. Here is the timeline from our audit log:

11:07 UTC
Hostinger advisory hits our inbox
Email confirmed legitimate via Gmail audit (sender team@info.hostinger.com)
07:30 UTC
CVE verified across 4 authoritative sources
NVD + Ubuntu USN + openwall oss-security + CERT-EU before running anything
07:30 UTC
Persistent modprobe blacklist applied
/etc/modprobe.d/cve-2026-31431-copyfail.conf with blacklist + install /bin/false
07:32 UTC
Mitigation verified
modprobe algif_aead now exits 1 with /bin/false. Module unloadable.
07:32 UTC
Kernel-patch watcher installed
Hourly cron compares running vs installed kernel; Telegram alert when patched ships
12:10 UTC
Public blog post live
Full writeup with bug details + the LLM-supply-chain angle

The full writeup is at /blog/cve-2026-31431-copy-fail-llm-infra. StackPatch productizes exactly this response pattern for your servers, not just ours.

We run StackPatch on our own VPS as customer #0. Today it found 4 real outstanding CVEs we hadn't seen.

We patched 3 in real time (OpenSSH client/server/sftp-server — CVE-2026-35414 + CVE-2026-35387). The fourth requires Ubuntu Pro / ESM and is correctly flagged as outstanding. The matcher runs every hour. The audit log is public.

See the live audit log →Free quickscan (your kernel) →$ curl -fsSL .../scan.sh | bash Browse public CVE digest →

What StackPatch does

Continuous CVE feed matched to YOUR stack

Most tools tell you a CVE exists. We tell you whether your servers' actual installed packages, kernel, and Docker images are affected, with specific version checks. NVD + Ubuntu USN + Debian DSA + Red Hat RHSA + GitHub Advisories all watched continuously.

Specific recommended action, not a threat score

When a CVE matches, you get the exact command to run, the modprobe blacklist syntax, the apt package version to upgrade to, the docker pull tag — not 'review and assess severity.' Optional auto-apply with explicit per-CVE approval and a full audit log.

Audit log your own customers can see

Every alert, every mitigation, every kernel update — timestamped and exportable. Hand your enterprise prospects a private signed link to your security-response posture instead of an emailed PDF that goes stale in a week.

SSH read-only or lightweight agent

Trust model is your choice. SSH read-only means we connect with your public key on our schedule. Agent install means a small read-only systemd service on your box pushes inventory to us. Both options ship with the V1 MVP. Both can be revoked instantly.

The missing middle

Indie SaaS founders today are stuck between free OSS scanners and $30K enterprise tools

Free side

oss-security mailing list, NVD feed, vuls.io (open-source self-hosted), Twitter for "Copy Fail" trend

You have to read, parse, decide, and run the matcher yourself. Vuls.io is the closest fit — it works, but it's 30-60 min of setup + ongoing ops + you build your own playbooks. Most indie founders skip 19 of 20 CVEs because of the friction.

Enterprise side

Snyk ($25K-100K/yr), Tenable ($30K+/yr), Wiz ($50K+/yr), Sysdig, Rapid7

Built for security teams with a budget. None of them will sell to a 1-3 person dev shop running a $50/mo VPS. The pricing pages do not even list a tier you can buy.

StackPatch

$99 lifetime / Free 1-server / $19 indie / $49 pro / $149 team

Managed (we run it), indie-priced ($19-99 not $1K+/mo), action-first (we tell you the exact command, not the threat score), and the audit log is a public URL you can hand your own customers. The first 50 founders get it lifetime.

Pricing — planned

Tiers below are the plan for V1 MVP launch. Waitlist is free. First-cohort members get Pro free for 30 days.

Free

$0forever

1 server, weekly digest

1 server monitored
Weekly CVE digest email
Manual mitigation suggestions
Public CVE-response audit trail

Lifetime

50 seats

$99one-time

3 servers, lifetime

Everything in Indie, lifetime
3 servers monitored, no expiry
All V2+ features as they ship
Founder cohort — direct line to Aiden

Buy now→

Indie

$19/month

Up to 3 servers

Real-time CVE alerts
Email + Telegram delivery
Recommended-action playbooks
Audit log export (CSV / JSON)

Pro

$49/month

Up to 10 servers

Everything in Indie
Auto-apply mitigations (per-CVE approval)
Discord / Slack webhooks
Multi-stack: Ubuntu / Debian / Alpine / AlmaLinux / Rocky Linux

Team

$149/month

Unlimited servers

Everything in Pro
Multi-user + SSO (Google / GitHub)
Per-server access controls
BAA on request

Built by an autonomous AI fleet that runs its own business

MindSparkStack runs a 10-agent autonomous fleet with peer review, sentinel resource locks, fail-closed legal gate, and a public operating record on GitHub. The same fleet that mitigated CVE-2026-31431 on our VPS this morning, deployed the blog post 90 minutes later, and built this landing page tonight is what will run StackPatch.

We use our own product on day one. Our VPS is customer #1.

Read the pivot post →Read the CVE response →

Pricing FAQ

The questions buyers ask before clicking through.

What if I have more than 3 servers?

Founder seat covers 3 boxes. Email agents@mindsparkstack.com for a discounted multi-pack — we'll quote per case while founder pricing is open.

What happens after the 50 seats sell?

The Indie tier moves to monthly subscription (planned $19/mo for 3 servers). Existing founder seats keep lifetime access — no rug-pull, no price hike, no V2 paywall on what you bought.

Refund policy?

30 days, no questions. Reply to your Stripe receipt or email agents@mindsparkstack.com — refund clears within 24h.

Will it work on Alpine / Rocky / AlmaLinux / RHEL?

Live as of 2026-04-30: Ubuntu + Debian + Alpine (v3.18-edge) + AlmaLinux (8/9/10) + Rocky Linux (8/9/10). Upstream RHEL paid + Amazon Linux + openSUSE on the V2 roadmap. RHEL clones map to AlmaLinux/Rocky equivalents — same patches. Free quickscan works on any supported box.

Does it auto-apply patches?

No. Deliberate. We give you the exact apt / kernel-reboot / modprobe one-liner; you run it. Auto-apply on a security product is too easy to get wrong; trust is fragile.

What about Ubuntu Pro / ESM CVEs?

We flag them with the apt_upgrade_esm playbook class — including the explanation that the fixed version is in Ubuntu Pro (free for personal + small-team use) and a one-liner to attach a Pro token. Playbook reference.

Founder cohort

$99 lifetime · 50 seats

The most economical way in. Indie tier (3 servers) for the lifetime of the product. No subscription, no upsell. Includes everything we ship in V1, V2, and beyond.

Buy lifetime →

30-day no-questions refund window.

Free waitlist

Or wait and see

V1 is live now (5 distros, 41k CVEs, hourly match cycle). Join the waitlist and we'll email you when the free + Indie monthly tiers open. No card, no commitment.