The Vouch Score
The Vouch Score gives you — and anyone looking at your project — an instant read on security health. One number instead of pages of confusing CVE logs.
Score Ranges
| Score | Status | What it means |
|---|---|---|
| 90–100 | ✅ Safe | No critical vulnerabilities or exposed secrets. Ready to deploy. |
| 75–89 | 🟡 Good | Minor issues (low-severity misconfigurations). Fix in next cycle; deployment is acceptable. |
| 50–74 | 🟠 Risks Present | Medium to high vulnerabilities found — missing auth on some routes, weak input validation. Fix before exposing to real users. |
| 0–49 | 🔴 Critical | Severe issues detected: exposed API keys, open SQL injection vectors. Do not deploy. |
What Influences the Score?
The algorithm weights findings by severity. A single Critical finding (e.g., a leaked Stripe secret key) tanks the score immediately — regardless of how clean the rest of the codebase is. Multiple Low findings cause a gradual decline.
Severity levels: Critical → High → Medium → Low
What the Score Is NOT
It is not a penetration test. Vouch evaluates static code and config files — it does not actively attack running servers (DAST).
Vouch targets the 20% of “vibe-fails” that cause 80% of real-world security incidents in indie-founder projects: hardcoded secrets, missing auth, open endpoints, and weak database rules.
Next Steps
- See how Auto-Fix generates patches for discovered issues.
- Display your score publicly with the Vouch Badge.
Last updated on