How to read a VibeLeak scan result
Decode the grade scale, severity labels, and finding categories so the scan result turns into an actionable fix list instead of a wall of noise.
Reading the result
The grade is a summary, not the whole story
S through F maps to a numerical range. The grade gives a headline, but the real value is in the per-category breakdown that shows where the points were lost.
Grade S
98–100
Exceptional. A clean scan with zero findings earns the full 100/100.
Grade A
90–97
Strong. Low or informational hygiene gaps only; any medium finding caps below A.
Grade B
75–89
Good with tuneups. A high or medium finding is present but not repeated enough to force C.
Grade C
55–74
Common gaps. Repeated medium gaps, repeated highs, or high plus two medium findings.
Grade D
35–54
Significant risk. One critical finding caps the score here.
Grade F
0–34
Critical action. Two critical findings, severe cumulative penalties, or a failed scan.
Findings
Each finding ties to a category and a remediation path
The findings are grouped by module: transport, headers, exposure, AI signals, and more. That grouping makes it easier to batch fixes by theme instead of jumping around.
- Transport findings cover HTTPS, TLS version, and certificate posture.
- Header findings list missing or weak security headers with specific recommendations.
- Exposure findings flag public files, configuration leaks, and obvious weak points.
- AI Signal findings measure how legible the site is to automated discovery and agents.
Severity
Critical, high, medium, low, and info each mean something different
Severity is based on trust impact, not theoretical exploitability. A missing header can be critical if it exposes a broad attack surface.
How to use severity
Context
Percentile rank tells you where the site sits relative to the corpus
A Grade B at the 85th percentile means the site is better than most, even if the grade is not perfect. Use percentile to calibrate expectations and communicate progress to stakeholders.
Practical use
Action
Fix in this order for the fastest trust improvement
The scan is designed so that fixing findings in severity order usually moves the grade the most. Here is the recommended sequence.
Fix critical transport issues
HTTPS enforcement and certificate problems are the foundation. Everything else is secondary.
Close high-severity header gaps
Missing CSP, framing controls, or HSTS are usually one-line fixes with large score impact.
Remove exposure findings
Public files and configuration leaks are easy wins that remove obvious attack paths.
Polish medium and low findings
These are refinements. Address them once the major gaps are closed.
Next action
Run the scanner against your own site
The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.
Continue reading
More field notes
Launch Ops
The Small Business Trust Checklist: 10 Things Customers Check Before Buying
Before a customer buys from you, they run a mental checklist. Most of it happens in under 30 seconds. Here are the 10 signals that decide whether they stay — and how to verify each one.
Open articleSecurity
Why Your 'Secure' Badge Might Be Lying to Your Customers
Security seals can help, but a badge image is not proof by itself. Here is what common trust signals actually verify, what they leave out, and what real domain-bound proof looks like.
Open articleSecurity
I Got Duped by a Fake Supplier. Here's the 5-Minute Check I Do Now.
A real story about getting burned by a convincing supplier clone — and the exact five-minute verification checklist I built afterward so it never happens again.
Open article