StackPatch vs vuls.io — the honest version

vuls.io is the obvious comparison and we won't pretend it isn't. It's free, open-source, mature, and supports more distros than we do. If you have the time and skill to run it, it's a great choice. This page is the side-by-side we'd want to read before paying us anything.

vuls.io future-architect/vuls

Side-by-side feature matrix

Green = clear advantage. Red = clear disadvantage. Grey = neutral / depends on context. We tried to be honest; if you find an inaccuracy in the vuls.io column, email us and we'll fix it.

Dimension

vuls.io

StackPatch

Price

Free, open source (GPLv3)

$99 lifetime founder seat or monthly tiers

Source code

Public — github.com/future-architect/vuls

Closed source — but bash/Python scanner is plain text and read-before-pipe

Setup time

Half a day. Install Go, vuls + go-cve-dictionary + goval-dictionary + gost + cve-search; download multi-GB DBs; wire scan + report flow.

Five seconds. curl https://mindsparkstack.com/scan.sh | bash

Where data lives

Your servers (self-hosted)

Our VPS — distro/kernel/package list only, no IPs, no hostnames, no env

Distros covered

Ubuntu, Debian, RHEL, CentOS, Oracle, Amazon Linux, openSUSE, Alpine, FreeBSD, Windows

Ubuntu + Debian + Alpine + AlmaLinux + Rocky Linux (live). RHEL/CentOS, Amazon Linux on the V2 roadmap.

Recommended actions

Lists the CVE; you read it and figure out the fix command yourself

Per-finding playbook: exact apt / kernel-reboot / modprobe one-liner

Public audit URL

None — scan output is internal HTML/JSON

Yes — share /patch/audit/your-server with customers as a posture artifact

Polling cadence

Whatever you cron yourself

Hourly inventory + 30-min CVE poll, all managed

DB maintenance

You rebuild go-cve-dictionary, gost, goval-dictionary on a schedule

Zero — we run the USN + NVD pollers

Notifications

Slack, email — but you tune severity gates yourself

Email + Discord planned for V1.5; severity threshold per project

Best for

Security engineer with half a day and ongoing patch-ops time

Solo founder running 1–10 Linux boxes who wants the answer in five minutes

Maturity

Battle-tested since 2016, 10K+ GitHub stars

V1 launched 2026-04-30. Used in production on our own VPS.

Pick vuls.io if

You have a security engineer and time to invest.

You run upstream RHEL (paid Red Hat), CentOS Stream, Amazon Linux, openSUSE, or FreeBSD — distros we don't cover yet (Alpine + AlmaLinux + Rocky Linux shipped 2026-04-30).
Compliance forbids any package data leaving your network.
You already have a CI runner with disk and CPU to host a multi-GB CVE database.
You want full control over scan logic, severity gating, and reporting.
You enjoy a Sunday-afternoon project and don't mind reading Go.

vuls.io install guide

Pick StackPatch if

You're a one-person SaaS shop and want the answer in five minutes.

You run 1–10 Ubuntu, Debian, Alpine, AlmaLinux, or Rocky Linux boxes (Hostinger, Hetzner, Linode, DigitalOcean, Docker hosts, etc.).
You don't want to maintain a CVE database, vuln scanner, or report pipeline.
You want the exact apt / kernel-reboot / modprobe-blacklist command, not a CVE link.
You want a public audit URL to share with paying customers as a trust artifact.
You'd rather pay $99 once than spend half a day setting up a free tool you'll forget to maintain.

Run the free quickscan first

The middle: what to actually ask yourself

1. How many hours of patch ops did you do last quarter? If the honest answer is <2, vuls.io is overkill — you'll set it up and never look at the report. StackPatch is the “set it and look at the audit URL when a customer asks” tier.
2. Do you have someone on call who reads CVEs? vuls assumes yes. StackPatch ships the apt one-liner so the answer can be no.
3. What's your cost of one missed CVE? For us as a one-person SaaS shop with paying customers, one breach is fatal. $99 to make a class of mistakes structurally harder is a deal. For a hobbyist VPS, vuls is free and totally fine.
4. Will you actually maintain the vuls DB? go-cve-dictionary, goval-dictionary, gost, cve-search — they all need cron-rebuilds, or your scans go stale and you don't notice. If “yes” isn't a confident yes, you'll silently be running a stale scanner. We rebuild ours every 30 minutes.

Try the free quickscan before paying anyone — including us.

One curl command, no signup. Reads only your distro / codename / kernel / package list. Source is rendered as plain text so you can read it before piping. Five seconds in, you'll know what your stack looks like to a CVE matcher and whether StackPatch — or vuls.io — is the right call.

Run the free quickscan See StackPatch ($99 lifetime)