Risk Scoring from A+ to F
Every scan generates a 0-100 risk score with an instant letter grade. Track your progress, compare scans, and prove your security posture to stakeholders.
How Scoring Works
Every time Vuln0x analyzes your application, all 27 scanning engines produce individual findings, each classified by severity: critical, high, medium, low, or informational. These findings are then fed into a weighted scoring algorithm that calculates a single composite score on a 0-100 scale, where 100 represents a clean bill of security health and 0 represents a critically vulnerable application.
The scoring methodology is designed to be both intuitive and actionable. Rather than simply counting vulnerabilities, the algorithm considers the severity of each finding, the category it belongs to, and its real-world exploitability. A single critical finding, such as an exposed .env file containing database credentials, will reduce the score significantly more than several low-severity informational notes about optional header improvements. This weighting ensures the score accurately reflects the true risk to your application rather than penalizing you equally for minor best-practice deviations and severe security failures.
The algorithm also rewards defense-in-depth. If your application has strong headers but weak SSL configuration, or excellent cookie security but exposed source maps, the score will reflect these gaps individually. You cannot compensate for a critical weakness in one area by excelling in another. This approach encourages comprehensive security hardening across all attack surfaces rather than selective improvements in easily fixed categories.
The final score maps to a familiar letter grade from A+ to F, making it instantly understandable for both technical and non-technical stakeholders. You do not need to interpret raw vulnerability counts or parse severity distributions. A single grade tells you where you stand, and the detailed breakdown shows you exactly how to improve.
What Determines Your Score
Finding Severity
Each finding is classified as critical, high, medium, low, or informational. Critical findings have the largest impact on your score, while informational findings serve as recommendations that do not reduce the score.
Category Coverage
Your score reflects breadth across all scanning categories. A perfect SSL configuration will not compensate for a completely missing Content-Security-Policy. Each category contributes independently to the overall score.
Weighted Impact
Not all findings are equal. An exposed .env file carrying database credentials impacts the score far more than a missing X-XSS-Protection header, which is deprecated in modern browsers. Weights reflect real-world exploit severity.
Best Practice Bonuses
Going beyond the minimum earns bonus points. Implementing HSTS preload, using TLS 1.3 exclusively, setting strict Content-Security-Policy directives, and enabling DNSSEC all contribute positive signals to your score.
Grade Breakdown
Your 0-100 score maps to a letter grade that instantly communicates your security posture.
Outstanding security posture. All critical headers present, strong TLS configuration, no exposed files or secrets, and no framework-specific vulnerabilities detected. Your application follows security best practices across every category.
Excellent security with minor improvement opportunities. Core protections are in place and well-configured. You may have a few informational findings or optional hardening recommendations that would push the score higher.
Good security fundamentals with some areas that need attention. Common for applications that have addressed the most critical issues but still have medium-severity findings like missing optional headers or suboptimal cookie configuration.
Fair security with significant gaps. Multiple medium-severity issues detected, such as missing Content-Security-Policy, weak TLS cipher suites, or overly permissive CORS configuration. Action is recommended before these become attack vectors.
Poor security posture with critical vulnerabilities present. High-severity findings such as exposed environment files, publicly accessible source maps, missing HSTS, or client-side secret leakage. Immediate remediation is strongly advised.
Critical security failures across multiple categories. Your application has severe vulnerabilities that could be exploited by automated scanners or opportunistic attackers. This score typically indicates exposed secrets, no TLS, missing critical headers, and open administrative ports.
Scan Comparison
A single scan tells you where you stand today. But security is not a point-in-time exercise. Code changes, dependencies update, server configurations drift, and new vulnerabilities are disclosed constantly. That is why Vuln0x provides side-by-side scan comparison that lets you track exactly what changed between any two scans of the same target.
When you compare two scans, the platform categorizes every finding into one of three groups: new findings that appeared since the previous scan, resolved findings that are no longer present, and unchanged findings that persist across both. This categorization makes it immediately clear whether your security posture improved, degraded, or stayed the same, and exactly which findings drove the change.
Scan comparison is particularly valuable after deploying fixes. When you resolve a set of vulnerabilities and re-scan, you can verify that those specific findings moved to the resolved column without new issues being introduced. It is also essential for regression detection: if a deployment inadvertently removes a security header or exposes a new file, the comparison will surface it as a new finding with full context about what changed.
Resolved
Findings from the previous scan that are no longer detected. These represent successful fixes and security improvements.
New
Findings that were not present in the previous scan. These could indicate regressions, new attack surfaces, or configuration drift.
Unchanged
Findings that exist in both scans. These are known issues that have not yet been addressed and should be prioritized.
Score Trends
Beyond individual comparisons, Vuln0x tracks your score progression over time. Each scan you run, whether manually triggered or executed on a schedule, adds a data point to your score history. This creates a timeline that visualizes how your security posture evolves across deployments, configuration changes, and dependency updates.
Score trends are invaluable for demonstrating security improvement to stakeholders. Instead of presenting a single scan report, you can show a trajectory: a project that started at a D grade six weeks ago and has climbed to a B through systematic remediation tells a far more compelling story than a static snapshot. For teams pursuing compliance certifications or security audits, trend data provides objective evidence of continuous security investment.
Trends also serve as an early warning system. A score that has been stable at 88 for three months and suddenly drops to 72 after a deployment signals a regression that demands immediate attention. When combined with scheduled scans and webhook notifications, the trend system ensures you are alerted to score changes as they happen, not days or weeks later during a manual review.
For organizations managing multiple projects, score trends make it possible to compare the security health of different applications at a glance. A dashboard showing all your projects with their current grades and trend directions gives engineering leadership the visibility they need to allocate security resources effectively, focusing attention where it is most needed.
Improvement Tracking
Visualize how each fix raises your score. See the direct impact of your security work over time.
Regression Alerts
Get notified immediately when your score drops after a deployment so you can catch issues before users do.
Stakeholder Reports
Share trend data with stakeholders, auditors, and leadership to demonstrate continuous security investment.
Start securing your vibe-coded projects today
20 free credits on signup. No credit card required.