Skip to content

Documentation

Everything you need to secure your AI-built projects

Security Score

Features

How the Security Score works

Every scan produces a Security Score from 0 to 100 with a letter grade. This page documents exactly how it’s computed — weights, caps, and the honesty rules — so you never have to trust a number you can’t verify.

Grades

A++

100

A+

90–99

A

80–89

B

70–79

C

60–69

D

40–59

F

0–39

Category weights

The score is a weighted aggregate across scanner categories. Current weights (scoring version security-score-v3):

Security headers0.15
SSL/TLS0.15
Injection0.15
DNS & email auth0.10
Exposure0.10
XSS0.10
Client-side threats0.10
Nuclei engine0.08
OWASP ZAP engine0.08
Cookies0.05
CORS0.05
Technology & CVEs0.05
Subdomains0.05
WAF0.05
Ports0.05
Bundle secrets0.05
Supabase0.05
Firebase0.05
Medusa engine0.05

VirusTotal, GDPR, platform detection and reputation carry zero weight — they inform the report (and can cap the score, below) but don’t add points.

Score caps

Some findings are severe enough that a weighted average would be misleading. Caps override the aggregate:

  • Any confirmed critical finding caps the score at 30.
  • A domain listed on a reputation blocklist caps the score at 20.
  • VirusTotal malicious verdicts apply tiered caps: 20 (≥2 vendors), 15 (≥3), 10 (≥5).

A site with perfect headers and an exposed .env file is not a B — it’s compromised-in-waiting. Caps encode that.

The Boring Score

AI-assisted apps fail in characteristic ways, so scans also produce a Boring Score with weights shifted toward those failure modes: bundle secrets (0.25 — the heaviest single category), exposure (0.15), Supabase (0.15), Firebase (0.10), injection (0.10), client-side threats (0.10), and the rest. Critical findings cap the Boring Score at 25.

Honesty rules

  • Coverage-aware. Every score ships with a per-category breakdown and a coverage ratio (weight actually assessed ÷ weight planned). If coverage falls below 85%, or any category weighted ≥0.10 was unavailable, the score is marked provisional rather than presented as final.
  • Withheld, not dropped.Categories we couldn’t assess are listed as withheld coverage. We never silently shrink the denominator to make the number look better.
  • Evidence policy. Any critical or high finding that lacks captured proof is automatically downgraded to medium, with a disclosure in the finding text. Unproven findings cannot cap your score.
  • Versioned. Every score records its scoring version, so historical scores stay comparable after weight changes.

FAQ

Why did my score drop after a rescan with no new issues?

Either coverage improved (a previously withheld category was assessed) or a finding gained proof and was upgraded. The report’s score-transparency panel shows exactly which.

Can I get an A+ with a medium finding open?

Yes — mediums reduce category scores but don’t cap. Criticals cap at 30 regardless of everything else.