Workflow5 min readMay 4, 2026

How to read a VibeLeak scan result

Decode the grade scale, severity labels, and finding categories so the scan result turns into an actionable fix list instead of a wall of noise.

Reading the result

The grade is a summary, not the whole story

S through F maps to a numerical range. The grade gives a headline, but the real value is in the per-category breakdown that shows where the points were lost.

Grade S

98–100

Exceptional. A clean scan with zero findings earns the full 100/100.

Grade A

90–97

Strong. Low or informational hygiene gaps only; any medium finding caps below A.

Grade B

75–89

Good with tuneups. A high or medium finding is present but not repeated enough to force C.

Grade C

55–74

Common gaps. Repeated medium gaps, repeated highs, or high plus two medium findings.

Grade D

35–54

Significant risk. One critical finding caps the score here.

Grade F

0–34

Critical action. Two critical findings, severe cumulative penalties, or a failed scan.

Findings

Each finding ties to a category and a remediation path

The findings are grouped by module: transport, headers, exposure, AI signals, and more. That grouping makes it easier to batch fixes by theme instead of jumping around.

Transport findings cover HTTPS, TLS version, and certificate posture.
Header findings list missing or weak security headers with specific recommendations.
Exposure findings flag public files, configuration leaks, and obvious weak points.
AI Signal findings measure how legible the site is to automated discovery and agents.

Severity

Critical, high, medium, low, and info each mean something different

Severity is based on trust impact, not theoretical exploitability. A missing header can be critical if it exposes a broad attack surface.

How to use severity

Start with Critical and High findings. They usually represent the biggest trust lift for the least effort. Medium and Low findings are for polish passes after the major gaps are closed.

Context

Percentile rank tells you where the site sits relative to the corpus

A Grade B at the 85th percentile means the site is better than most, even if the grade is not perfect. Use percentile to calibrate expectations and communicate progress to stakeholders.

Practical use

Share the percentile with non-technical stakeholders. It translates the technical score into something intuitive: "We score better than 85% of sites scanned."

Action

Fix in this order for the fastest trust improvement

The scan is designed so that fixing findings in severity order usually moves the grade the most. Here is the recommended sequence.

Fix critical transport issues

HTTPS enforcement and certificate problems are the foundation. Everything else is secondary.

Close high-severity header gaps

Missing CSP, framing controls, or HSTS are usually one-line fixes with large score impact.

Remove exposure findings

Public files and configuration leaks are easy wins that remove obvious attack paths.

Polish medium and low findings

These are refinements. Address them once the major gaps are closed.

Next action

Run the scanner against your own site

The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

Start scan

More field notes

Back to blog Top

Security

Is VibeLeak safe to use? Report privacy, logs, and exports explained

A plain-English look at how VibeLeak scans public sites safely, what gets stored, who can see reports, and why full findings and Markdown exports stay owner-only.

Open article

Security

We Scanned the Moz Top 500. Even the Internet's Giants Are Missing the Basics.

VibeLeak ran its full trust surface scan against the Moz Top 500 most popular websites. This historical corpus still shows how common basic web security gaps are.

Open article

Launch Ops

Why most security scans fail on first run

WAF blocks, DNS delays, timeouts, and redirect loops are the most common reasons a scan returns a failed grade. Here is what is happening and how to fix it.

Open article