Synced 17 Jun 2026 22:27 UTC Account
← Home

Roadmap

What's live, what's next, and where we're heading. Have a request? Tell us →

✅ Live now · June 2026

  • Health score (0–100) + plain-English verdict for 629 products — apps, OS distros, appliances and GPU drivers — and their versions
  • Self-expanding catalog — when CISA flags a product as actively exploited that we don't already track, a page is created automatically (verified NVD identifier, de-duplicated), so it's live exactly when people start searching for it
  • SBOM scanner — drop in a CycloneDX or SPDX file and get a ranked, fix-first patch queue for every component (worst severity + the exact version to upgrade to), matched against OSV. 100% private — parsed in your browser, the file never leaves your device — and free. Optional monitoring emails you when a new vulnerability later hits your components (scan now →)
  • Email alerts — get notified the moment a product you monitor becomes actively exploited (CISA KEV) or reaches end-of-life. Free, double opt-in, no account, unsubscribe anytime (set up →)
  • Minimum safe version — every version page names the exact lowest release that clears all open critical & high vulnerabilities
  • Paste-a-version checker — drop in raw command output (nginx -v, php -v, Apache/2.4.49) and get an instant verdict for any version (try it →)
  • Version comparison — see exactly which CVEs an upgrade fixes, from one version to another
  • Live Exploitation Radar — actively-exploited CVEs (CISA KEV), newest first
  • Recently Patched — the positive counterpart to the radar: tracked software that just shipped a new supported release, newest first, with the safe version to move to (see what's just been fixed →). Your dashboard also flags when a version you run drops below the latest safe release — so you upgrade the moment a fix lands
  • Emerging — security newsroom BETA — watches a curated allow-list of trusted outlets (BleepingComputer, Krebs, SecurityWeek, The Hacker News, CISA) and links what they report to the exact software you run, often ahead of full NVD enrichment. Every item is attributed to its source and links out — we surface and link, we never assert our own findings. Signed-in users get a red "you run this" flag on news about their stack (open Emerging →)
  • Per-CVE detail: CVSS breakdown, EPSS, ransomware flag, weakness type (CWE), classified patch / advisory links
  • End-of-life calendar with a 12-month timeline + search — plus a dedicated end-of-life page for every product with lifecycle data (/eol/php, /eol/windows…): the full support timeline, which release lines are still supported, the safe version to move to, and EOL alerts
  • Per-product vulnerability pages — a dedicated known-CVE list for every well-covered product (/nginx/vulnerabilities, /php/vulnerabilities…): the full CVE history with severity, exploitation status and EPSS, actively-exploited first — so "[product] vulnerabilities" searches land on real data, not a wall of noise
  • My Stack dashboard — a private security command center: monitor your products, see what's actively exploited at a glance (gauges + charts), and work one ranked fix-these-first patch queue across your stack and your last SBOM scan. Saved in your browser, or synced to a free account (open →)
  • Free passwordless accounts — sign in with a one-time code (no password) to sync across devices and unlock smart insights, risk history & trends, CSV/JSON export and per-row drill-down. The browser tools stay free & account-free (sign in →)
  • Per-version tracking — record the exact version you run for any product; the dashboard verdict, score and minimum-safe version are then tailored to that version, not the product overall (open →)
  • Multi-dimensional risk model — beyond the single 0–100 score, your SBOM scan and stack break risk into named, separately-scored dimensions — Vulnerability · Version · End-of-life · Licence · Unmatched — each with a figure and verdict colour, so security, engineering and legal/procurement each see their slice. The vulnerability dimension flags actively-exploited components (CISA KEV), licence parsing reads the SBOM's own metadata (copyleft / unknown flagged), and the unmatched figure is shown honestly, never hidden. Carried into every evidence pack; every formula is published
  • Compliance-ready exports — a software risk register (CSV + PDF), a CycloneDX VEX document, and a per-framework evidence pack for all seventeen editions (EU CRA, FDA 524B, IEC 62443, ISO 21434, NIS2, EO 14028, PCI DSS, SOC 2, ISO 27001, DORA, NIST CSF/CMMC, CIS Controls, Cyber Essentials, Essential Eight, HIPAA, UK Software Code) — each reframing your data in that framework's vocabulary and flagging the right priority rows. All generated in your browser. The PDF/print reports use a light, enterprise-clean template (the live app stays dark): a titled cover page with scope, generation time, data-as-of, sources and disclaimer, then dense, colour-coded tables — so an auditor or procurement reviewer can print it and file it in an audit pack. White-label them with your own logo, accent colour and footer for client / MSP deliverables
  • EU Cyber Resilience Act edition — see which of your products are actively exploited (the CRA's 24-hour reporting trigger) and export the SBOM, VEX and evidence you need ahead of the 11 Sep 2026 reporting deadline (about the CRA →)
  • ISA/IEC 62443 edition — for industrial & OT (IACS): risk-based patch-management prioritisation, SBOM/component transparency and exportable evidence, mapped to the 62443 practices for asset owners, integrators and product suppliers (about IEC 62443 →)
  • FDA Section 524B edition — for medical-device makers: SBOM/component vulnerability analysis, known-exploited prioritisation, end-of-support tracking and postmarket vulnerability-management evidence for premarket submissions (about FDA 524B →)
  • ISO/SAE 21434 & UNECE R155 edition — for automotive OEMs and Tier 1/2/3 suppliers: the operations-phase component vulnerability monitoring your CSMS needs, with SBOM transparency across the supply chain (about ISO 21434 →)
  • NIS2 Directive edition (EU) — for operators of essential & important services and their suppliers: evidence the Article 21 supply-chain-security and vulnerability-handling measures with SBOM scanning, risk-based patching and exports (about NIS2 →)
  • US Executive Order 14028 edition — for software producers selling to US federal agencies: SBOM (NTIA elements) + vulnerability-management evidence to support the SSDF self-attestation (about EO 14028 →)
  • CISA BOD 26-04 edition — the new (10 Jun 2026) risk-based patching directive that replaces BOD 22-01: federal agencies must tier remediation by exposure × exploitation × automation × impact, patching the worst within ~3 days. Our SSVC-style queue already ranks the same way, so we map your known-exploited-first findings to the directive and export the remediation record (about BOD 26-04 →)
  • PCI DSS 4.0 edition — for merchants, processors and service providers: Requirement 6 software inventory (6.3.2), risk-ranked vulnerability identification (6.3.1) and timely patching (6.3.3), with QSA-ready evidence (about PCI DSS →)
  • SOC 2, ISO/IEC 27001, DORA & NIST CSF 2.0 / CMMC editions — the SaaS trust report (SOC 2 CC7.1/CC8.1), the global ISMS standard (ISO 27001 Annex A 8.8), the EU financial-sector rulebook (DORA Art. 9) and the US federal/defense frameworks (NIST CSF 2.0 & CMMC / 800-171) — same engine, each with its own evidence pack
  • CIS Controls, Cyber Essentials, Essential Eight, HIPAA & UK Software Security Code editions — best-practice (CIS Controls v8), UK (Cyber Essentials, UK Software Security Code), Australia (Essential Eight) and US healthcare (HIPAA Security Rule) — same engine, each with its own evidence pack
  • Compliance hub + "which editions apply to me?" selector — all seventeen editions in one place over a single shared engine and account, with a region + sector picker that highlights the ones likely to apply to you (compliance editions →)
  • VEX authoring — turn your SBOM scan into a Vulnerability Exploitability eXchange: triage each component (Affected · Not affected — with a justification like "code not reachable" · False positive · Resolved) and export a CycloneDX VEX that cuts false-positive noise for your customers and auditors (about VEX →)
  • Compliance posture dashboard — a live readiness check in My Stack: your monitored stack and last SBOM scored against all seventeen standards at once, filtered to your region & sector, each showing what needs attention and a one-click, audit-ready evidence pack. A "biggest wins" ranking shows which single product to fix to clear the most standards, and (signed in) a posture-over-time trend tracks the standards you've cleared week over week
  • Exposure leaderboard — a live ranking of the most-exposed tracked software & vendors, by active exploitation and open critical CVEs (see the leaderboard →)
  • Context-aware patch queue — your fix-first queue is ranked Act / Attend / Track by combining exploitation with the exposure and business importance you set per product. Every point is shown inline — no black box (how it's scored →)
  • Downloadable PDF reports on every product page
  • Free security feeds — RSS & JSON for exploited CVEs, ransomware-linked, end-of-life, a weekly digest, and per-product — subscribe in any reader, Slack, Teams or SIEM (see feeds →)
  • Security glossary — plain-English guides to the terms that matter (CVE, CVSS, KEV, EPSS, SSVC, SBOM, VEX, end-of-life), each linked to the live tool that uses it (glossary →)
  • Automated data sync multiple times a day (NVD · CISA KEV · EPSS · endoflife.date)

⏳ Next

  • Hand-curated additions — on top of the self-expanding catalog above, we keep adding the mainstream products people ask for (request yours via feedback)
  • SUSE per-release advisories — SUSE Linux Enterprise lifecycle & EOL is tracked now; full per-release security-advisory pages (CSAF) are next, completing the OS-distro set alongside the live Ubuntu (USN), Red Hat (RHSA), Debian (DSA) and Rocky (RLSA) models
  • SBOM monitoring digests — a weekly roll-up option alongside the instant new-vulnerability alerts
  • Agentic AI security edition — score the AI agents you ship against the new OWASP Agentic Top 10 (ASI01–ASI10) and the AIVSS scoring system, starting with a free, in-browser readiness check — the same engine, pointed at agent-specific risk. AIVSS is at v0.8; every score is pinned to its spec version so assessments stay reproducible when v1.0 lands.
  • Account-synced & team branding — white-label report branding (logo, accent, footer) is live now per browser; next is syncing it to your account and sharing one branded template across a team / MSP workspace.

🔭 Later

  • Team workspaces — share one monitored stack across a team, and hand clients or auditors clean, branded reports (for teams & MSPs).
  • A public API for your own dashboards and automations
  • Weekly digest + historical trends per product

🧭 Where this is heading

The SBOM scanner is the foundation. From here it goes deeper, then wider — each step starting only once the one before it has earned it:

  • Deeper — context-aware prioritisation — the patch queue now ranks by exploitation × your exposure & business importance, with the reasoning shown inline (no black box). Next: richer signals — EPSS "automatable" exploitation, compensating-control credit, and context synced to your account.
  • Wider — compliance editions per framework — the same engine with purpose-built outputs and vocabulary for each software-security rule. Live now (all under one compliance hub): the EU Cyber Resilience Act (reporting duty from Sept 2026), ISA/IEC 62443 (industrial/OT), FDA Section 524B (medical devices) ISO/SAE 21434 with UNECE R155 (automotive) and NIS2 (EU — operators of essential & important services), US Executive Order 14028 (federal software), CISA BOD 26-04 (risk-based patching, replaces BOD 22-01), PCI DSS 4.0 (payments / card-data environments), SOC 2 (SaaS trust report), ISO/IEC 27001 (global ISMS), DORA (EU financial sector), NIST CSF 2.0 / CMMC (US federal & defense), CIS Controls v8 (best practice), Cyber Essentials and the UK Software Security Code of Practice (UK), Essential Eight (Australia) and the HIPAA Security Rule (US healthcare) — seventeen editions, all under the hub, with a "which editions apply to me?" selector to triage them. We're also sharpening the live editions — surfacing the CRA's three dated milestones (authorities & notified bodies Jun 2026, vulnerability reporting Sep 2026, machine-readable SBOM & full obligations Dec 2027) so each audience gets the right hook, and leaning into FDA 524B's per-component end-of-life / support level and remediation-plan expectations, which our EOL + minimum-safe-version output maps onto directly. Watching, not yet building: rail-sector CRA guidance and AI-system SBOMs. The teams hit hardest by these deadlines often have no tooling budget — we aim to be the practical, affordable option.
  • Sharper over time — as real-world usage accumulates, prioritisation gets smarter from what's actually exploited and patched. We won't bolt on "AI" before the data makes it genuinely useful.
  • Broader — more from the same component data — once we've parsed your SBOM and resolved every component, the same data answers more questions for more teams: licence / open-source compliance (GPL/AGPL/MIT obligations — the other reason teams build SBOMs, for legal & procurement), dependency freshness ("you're several major versions behind on 30% of your stack" — for engineering managers), and supplier / vendor risk scoring (aggregate a vendor's security posture for third-party risk assessments). Same facts, new audiences.
  • Natural extensions of the engineVEX authoring is now live (/vex): triage each SBOM component's exploitability — "not affected, code not reachable" — and export a CycloneDX VEX your customers and auditors can ingest. Next: container & image scanning (point the same matching engine at a Docker image's components — a strong CLI/CI story for developers).
  • Deliberately out of scope — patch orchestration (actually applying fixes), secrets/config scanning and runtime/EDR would complete the "find → fix" loop, but they're a different discipline with established players, and they'd dilute the one-second, plain-English verdict that is our whole edge. We'd rather be the clearest answer to "is this safe?" than a mediocre everything-suite.

This roadmap is a direction, not a promise — priorities shift with what you ask for. Shape it →