// DOCUMENTATION
VibeLeak docs
Find what attackers check first. VibeLeak scans HTTPS, headers, exposure, and trust signals in seconds — and tells you exactly how to fix what it finds.
Core scanner
Live
5 scans per day on the free tier
Export format
Markdown
Limited-time free launch access when signed in
Trust loop
Recheck
Fix, scan again, confirm the lift
What you can do
Scan any website
Drop in a URL and get a structured trust read in seconds. No account required for the free scanner.
Fix with confidence
Every finding comes with a specific, prioritized fix — not just a warning label.
Track your progress
Recheck after fixes and watch the grade move. Build a release cadence around it.
See what ships next
Signed-in users open the dashboard roadmap to heart-vote planned and in-progress work. The scanner stays focused on findings, not product planning.
How it works
Submit a URL
Enter any domain. The scanner runs across transport, headers, exposure, and trust signals.
Receive a structured score
Get a grade plus categorized findings, each with evidence and a recommended fix.
Fix the top items
Work through findings in priority order. High and critical first.
Recheck
Run the same URL again to verify the grade moved and the blockers are cleared.
AIGuard
AIGuard detects AI provider API keys exposed in a site's HTML source. It runs passively — it reads what the scanner fetches, not what executes in a browser. Keys found in page source are high-signal: they indicate the key is in client-accessible code, exposed to anyone who views source.
Note: dynamically-loaded JS bundles (loaded at runtime, not present in the initial HTML) are not scanned by AIGuard. Dedicated JS bundle scanning tools should be used for deeper analysis.
What it detects
Provider endpoint references
AIGuard detects when page HTML references known AI provider endpoints (e.g. api.openai.com). This is informational — it confirms direct client-side use of an AI service and should be reviewed alongside auth, proxying, and key handling. Same-origin bundle scanning can be enabled for deeper secret checks; active AI endpoint probing is not enabled by default.
What AIGuard does not detect
- • Keys without known provider prefixes (generic API keys, JWTs)
- • Keys in Web Workers, service workers, cross-origin bundles, or dynamically-loaded JS not referenced in the initial HTML
- • Whether a key is used in development vs. production
- • Keys behind authentication on internal tools
- • Active probing of AI service endpoints or cloud infrastructure
CloudLeak
CloudLeak detects Firebase Realtime Database and Supabase REST API references, then probes whether those endpoints are accessible without authentication. It also scans delivered HTML and same-origin JavaScript for public cloud storage URLs across Supabase Storage, Firebase Storage, S3, Google Cloud Storage, and Azure Blob.
Misconfigured cloud backends are a common source of data breaches. Storage URL findings are conservative: visible bucket URLs are treated as review signals, while public listing probes are raised when a safe unauthenticated metadata/listing endpoint confirms exposure.
What it detects
What CloudLeak does not detect
- • Buckets that are private and never referenced by browser-visible code
- • Object contents behind signed URLs, authentication, or unreferenced internal paths
- • Authentication bypass vulnerabilities
- • Sensitivity of data — any accessible DB triggers, regardless of content
- • Rate-limit-induced false negatives
Remediation
For Firebase and Supabase databases: enforce auth and RLS/security rules. For storage: separate public assets from user/private files, disable bucket listing, use signed URLs for private objects, and audit any bucket referenced in client code.
DataLeak
DataLeak looks for the passive public-surface version of API overfetch: same-origin JSON endpoints referenced in delivered HTML or same-origin JavaScript that return private-looking fields without authentication.
This targets the pattern where the backend sends too much data and the frontend merely hides it. Probes are capped, GET-only, same-origin, and skip auth, checkout, upload, webhook, and destructive-looking paths.
What DataLeak does not detect
- • Authenticated-only APIs that require a real user session
- • IDOR bugs where Account A can read Account B only after supplying account-specific IDs
- • Endpoints built dynamically at runtime and not visible in initial HTML or same-origin bundles
Owner-verified IDOR scan
Owner-verified IDOR scanning is separate from the normal public scan. A signed-in owner can submit two test account sessions and a small list of same-site JSON paths; VibeLeak compares Account A and Account B responses for cross-account markers, shared private-looking payloads, messages, drafts, profiles, roles, and account data.
Supplied headers are used only for the live request and are not stored. The API requires explicit owner confirmation and blocks internal/private targets with the same SSRF protections used by the public scanner.
API preview
Use POST /api/owner-idor-scan with owner_confirmation: true, target_url, up to 10 relative paths, and two account header sets. For stronger confirmation, include account-specific marker strings such as test-user emails or unique draft text.
ThreatSurface
ThreatSurface runs four parallel passive-surface probes that test for common runtime and configuration exposures. All checks run simultaneously and complete in a single scan pass.
These checks focus on signals that are directly visible in HTTP responses and headers — no authentication, no JS execution, no internal access.
What it checks
What ThreatSurface does not detect
- • Whether auth endpoints actually enforce rate-limits server-side (only checks response signals)
- • Open redirects that require JavaScript execution or session state
- • Error disclosure behind authenticated routes
- • Server-side request forgery (SSRF) — redirect probes follow zero hops
VibeSignal (AI Signal Score)
VibeSignal is a parallel score to the trust grade. It answers whether AI crawlers, answer engines, and autonomous agents can find, read, and use your public site — using only passive signals visible without authentication.
The headline is a 0–100 score with a status label (Strong, Partial, or Weak signal). Five category rows each cap at 20 points: Discoverability, Content Access, Bot Access, Protocol Discovery, and Commerce Readiness. Detailed items appear as findings in the AI Signals view inside findings review.
Compatibility
- • API field
vibeSignalis primary;agentReadinessis a deprecated alias when present. - • Stored scans may still use legacy DB columns
agent_readiness_scoreandagent_readiness_data; the app maps them at read time. - • Finding categories
ai-signaland legacyagent-readinessare both shown as AI Signals in the UI.
Markdown reference
A longer-form reference for operators lives in docs/vibesignal.md in the repository.
Severity model
Each finding is tagged with a severity level that determines how it affects the overall grade and urgency of the fix.
Remediation steps
Every finding includes a specific recommended fix. The fastest-lift items are surfaced first. Without signing in, the live scanner shows a preview of issues; full remediation text, export, and score watch require an account.
- HTTPS enforcement via TLS certificate
- Security header coverage (CSP posture, X-Frame-Options, HSTS)
- Exposure pattern mitigation
- Trust signal alignment
The recheck loop
The recheck is the payoff. Run the same URL after applying fixes to confirm score movement and track momentum.
When you are signed in, you can also use the Monitored domains area on the dashboard: enable score watch on a full trust scan (letter grade), run Recheck now for an on-demand rescan, or let scheduled rescans update grades. If email delivery is enabled for VibeLeak, grade-change alerts are sent from our notification system.
Tip
Build a recheck into your release checklist. Scan before → fix → scan after → confirm the grade moved.
Architecture overview
Is VibeLeak safe to use?
Yes. The normal VibeLeak scan is a passive public-surface check. It requests public HTTP(S) resources and reads visible signals like TLS state, redirects, headers, cookies, DNS, public files, and AI-facing metadata. It does not log into the target site, does not ask for target credentials, and blocks localhost, private networks, cloud metadata hosts, and private-address redirects.
What VibeLeak stores
Scan URL/domain, timestamps, grade, findings, evidence summaries, account ownership, export/watch state, and the product metadata needed to save, recheck, and operate the report.
What VibeLeak does not store
Full target page content, target user data, target cookies, target sessions, or private application data from the scanned site.
Who sees full reports
Only the signed-in owner can access detailed findings, remediation, evidence archives, and Markdown exports. Public scan links and OG cards are redacted, noindex grade/count summaries.
What logs are for
Operational events may record status, IDs, timing, URL/domain, account state, and delivery status for reliability and abuse prevention. Generated Markdown report bodies are not public report surfaces.
Limited-time free launch access
The scanner itself stays free at 5 public scans per day. During launch, signed-in free users can also reveal full findings and fixes and download Markdown exports. That detailed free report access is temporary; later free reports may blur fixes and exports until the user upgrades.
Reading your score
VibeLeak grades run from F to S. The canonical score starts at 100, subtracts critical -45, high -16, medium -8, low -3, and info -1, then applies caps so severity and letter grade stay honest. A scan with zero findings is the only path to 100/100.
98-100. Elite trust signal; 100/100 means zero findings.
90-97. Strong posture with only low/info hygiene gaps.
75-89. Good with tuneups; any high or medium finding caps below A.
55-74. Common gaps; repeated medium or high-plus-medium mixes land here.
35-54. Significant risk; one critical finding caps the score here.
0-34. Critical action; two critical findings or scan failure land here.
Product roadmap
The product roadmap lives in the dashboard after you sign in (/dashboard/roadmap). It shows planned, in-progress, and recently shipped public milestones without turning the scanner into a changelog. You can heart-vote on open items to help prioritize. The scanner focuses on your results and fixes; it is not a roadmap surface.
Export to Markdown and fix with AI
Signed-in users can export a full trust scan as structured Markdown: your site grade, findings with evidence, remediation in priority order, and operator instructions that tell an agent to audit the live site against the list before changing anything, preserve behavior, and plan a rescan after deploy.
The workflow
What to say to your agent
# Prompt template
Here is my VibeLeak security report for [domain].
Fix all critical and high severity findings in order.
For each fix, explain what you changed and why.
[paste report contents or file path]
Compatible agents
Gating
Markdown export requires a signed-in account and scan ownership. Signed-in free users have limited-time launch access to full findings, fixes, and exports. Later, the free tier may keep scanning free while blurring detailed fixes and export until upgrade.
VibeSignal Export
After running a VibeSignal scan, you can export your AI visibility report as a Markdown file.
How it works
- Run a scan on any URL (Full Scan or VibeSignal Only mode)
- Sign in, then click Export VibeSignal Report in the results panel
- The
.mddownloads, and an account email copy may be sent when email delivery is enabled - Open the file in any editor or drop it into your AI agent
Using the report with your AI agent
The report is designed to be agent-ready. You can:
- Drop the
.mdfile into Claude, ChatGPT, Cursor, Windsurf, or any agent with file upload - Ask: "Implement all the fixes in this report for my website"
- The agent will implement changes to your
robots.txt,llms.txt, schema markup, headers, and.well-known/endpoints - Each finding includes the exact remediation steps with code examples
After fixing
Come back to VibeLeak and run a new VibeSignal scan on your URL. Each category score should improve as fixes are deployed. A perfect score (100/100) means your site is fully optimized for AI discoverability across ChatGPT, Perplexity, Claude, Gemini, and Copilot.
What VibeSignal checks
Signed-in reports show a full evidence ledger for every pass, partial, and miss below. Anonymous scans keep the score preview but redact detailed evidence and fixes until sign-in.
| Category | What's checked | Max points |
|---|---|---|
| Discoverability | robots.txt, sitemap.xml, canonical tags, AI bot rules | 20 |
| Content Access | llms.txt with useful non-HTML 200 response, JSON-LD structured data, semantic public content | 20 |
| Bot Control | robots.txt AI grants, X-Robots-Tag, meta robots | 20 |
| Protocol Discovery | MCP discovery, agent.json, OpenAPI, security.txt or auth discovery | 20 |
| Commerce Signals | Pricing page, checkout cues, Product/Offer JSON-LD, payment headers | 20 |
VibeRank
VibeRank is the paid VibeSignal extension for answer visibility, available inside scan results and at /viberank. The standalone scanner accepts bare domains like example.com, keeps prompt controls in the top target console, verifies paid access, and starts the run automatically when the user sets the target. It builds an evidence-weighted business profile first, then tests prompts that match the detected entity instead of relying on brittle keyword guesses.
The scan derives entity type, industry, business model, category, offerings, audience, problems, platforms, locations, local eligibility, profile confidence, classification source, and profile warnings from the public site. A configured profile model can classify the business through explicit VibeRank profile envs or the shared Nous Portal model envs before prompt generation; if that pass is unavailable, deterministic site signals still run. If evidence is weak, the report shows uncertainty and avoids inventing buyer prompts. Ranked search queues, AI answer citations, validated competitors, and other surfaced domains are captured separately before the S-F VibeRank grade is assigned. Paid runs must save successfully before the UI presents the report, because Markdown and PDF exports depend on the stored run.
Grade and score
An S-F grade plus 0-100 score summarizing whether the business appears in matched prompts, ranked search queues, and cited AI answers.
Readable prompt evidence
Shows the exact prompts tested, why each prompt was selected, target rank or not-in-top-10 status, AI mention/citation status, cleaned answer context, top surfaced domains, and next move.
Citation gaps
Flags when AI answers mention the brand but cite another source, or when the answer avoids the target domain entirely.
Competitor displacement
Counts only configured competitors or category-relevant alternatives as competitors; generic search surfaces are listed separately.
Progress history
Saves VibeRank runs for paid users so score, citation share, answer accuracy, and competitor displacement can be compared after fixes ship.
Prompt controls
Lets paid users override category, location, custom buyer prompts, known competitors, and force local prompts from the top target console when appropriate.
What you get after a VibeRank run
| Output | Why it matters |
|---|---|
| Grade scorecard | A quick read on whether AI answer surfaces can find and trust the scanned brand. |
| Loading report modal | Opens immediately with radar progress, then opens the full VibeRank report on success or shows retry actions on failure. |
| Run history | Shows the latest saved runs and deltas after a rerun. |
| Dashboard panel | Paid users can review recent VibeRank grades, scores, domains, metrics, and export links from the dashboard. |
| Prompt controls | Lets paid users tune category, location, custom prompts, and competitor domains before the run starts. |
| Business profile | Shows the detected entity type, industry, model, category, profile confidence, classification source, offerings, audience, platforms, locations, warnings, and local prompt eligibility. |
| Prompt ledger | Shows every business-matched prompt tested, prompt-selection reason, target search rank, AI visibility, cleaned context, validated competitors, surfaced domains, and next move. |
| Cited sources | Shows which domains AI answers leaned on as evidence. |
| Confidence label | Marks the result Directional, Useful, or Stable based on prompt completion and target citation capture. |
| Findings and fixes | Turns weak prompts, citation gaps, and competitor wins into agent-ready action items. |
| PDF and Markdown exports | Exports a multi-section VibeLeak-branded PDF plus agent instructions, factual guardrails, profile confidence, prompt evidence, fix queue, site-change recommendations, and definition of done after the run is saved. |
Why it matters
Buyers increasingly ask AI answer engines the same way they search, but the right prompts depend on the entity. VibeRank adapts to the scanned organization before testing visibility, then shows what was searched, what ranked, whether the target appeared in AI answers, what context came back, what was merely surfaced, what was a validated competitor, and what needs to improve.
OAuth & API keys
Compatible MCP clients should connect to VibeLeak with OAuth 2.1 Authorization Code + PKCE. Hermes, Codex, and other OAuth-capable MCP clients can discover the protected resource metadata, dynamically register a public client, open browser login/consent, and receive a scoped bearer token for owner-only MCP calls.
Scoped VibeLeak API keys remain available at /dashboard/api-keys for REST API v1 and MCP clients that cannot complete OAuth. Raw keys and OAuth access tokens are shown once; VibeLeak stores only hashed records plus prefix, owner, scopes, created time, last-used time, and revoked time.
Key format
vlk_live_<prefix>_<secret>
Test keys use vlk_test_. The prefix is safe to display; the secret is not recoverable after creation.
MCP OAuth
auth: oauth
Use the remote MCP endpoint with OAuth when the client supports protected-resource metadata and PKCE.
Authentication
Authorization: Bearer ***
Use the same bearer header for /api/v1 routes and owner-only MCP tool calls. Missing, revoked, cross-owner, or underscoped credentials fail closed.
Scopes
scan:writescan:readfindings:readreports:readvibesignal:readviberank:writehistory:readbilling:writescore-watch:writeroadmap:readtrust-index:readOAuth requests fail closed with invalid_scope for blank, unknown, malformed, or wildcard scopes. Exchanged OAuth tokens receive exactly the validated requested scopes.
API v1
API v1 is the durable surface under the MCP. It exposes scan, report, VibeSignal, VibeRank, billing, Score Watch, usage, ownership, and Trust Index status routes with explicit redaction boundaries. Scan and VibeSignal routes also honor paid verified-domain protection and return DOMAIN_SCAN_PROTECTED without identifying the owner.
| Route | Access | Use |
|---|---|---|
| POST /api/v1/scans | Bearer scan:write | Run a stored scan for the API-key owner. |
| GET /api/v1/scans | Bearer history:read | List owned scan grade cards. |
| GET /api/v1/scans/{id} | Bearer scan:read + findings:read | Fetch an owned private scan result. |
| GET /api/v1/scans/{id}/public | Public | Return a redacted public grade card with badge URL, HTML, and Markdown embed code. |
| GET /api/v1/history | Bearer history:read | List recent owned scan history. |
| GET /api/v1/reports/{id}/markdown | Bearer reports:read + findings:read | Export an owned scan as agent-ready Markdown. |
| GET /api/v1/domains/{domain}/vibesignal | Bearer vibesignal:read | Run a redacted VibeSignal check. |
| POST /api/v1/viberank/runs | Bearer viberank:write | Run VibeRank for answer-engine visibility. |
| POST /api/v1/checkout/sessions | Bearer billing:write | Create an allowlisted Stripe checkout session. |
| POST /api/v1/score-watch | Bearer score-watch:write | Enroll an owned scan in Score Watch. |
| GET /api/v1/domain-verifications | Bearer trust-index:read | Check ownership-verification rows. |
| GET /api/v1/trust-index/visibility | Public | Check public Trust Index visibility for a domain. |
| GET /api/v1/usage | Bearer | Return API-key and account usage context. |
Redaction rule
Public grade-card routes never return private evidence, remediation bodies, owner history, or billing state. They do include a copy-ready trust badge object for completed full scans: badge URL, saved-report URL, HTML, Markdown, and an eligibility reason when the scan cannot be embedded.
VibeLeak MCP server
Connect compatible agent clients to VibeLeak through the remote MCP endpoint at /api/mcp. Agents can request public trust signals, retrieve owner-authorized scan details, export reports, and help move remediation work into a clear queue.
Use Hermes native MCP OAuth when possible, or create a scoped API key from /dashboard/api-keys for clients that only support bearer tokens. Public tools stay redacted; private findings, history, remediation, billing, VibeRank, and Score Watch require owner auth with matching scopes.
Public tools
get_connection_statusget_public_grade_cardget_vibesignalget_vibesignal_and_exportget_trust_index_visibility_statusOwner-only tools
scan_domainscan_domain_and_exportget_scan_resultget_private_findingsrun_viberankrun_viberank_and_exportexport_markdown_reportlist_scan_historyverify_domain_ownership_statusget_remediation_actionscreate_checkout_sessionenable_score_watchAgent access model
- Public requests return connection status, grade-card, VibeSignal, or visibility-style data only, including copy-ready badge embed code for eligible saved scans.
- OAuth or scoped bearer auth lets owners run scans, retrieve private findings, export Markdown reports, start Stripe Checkout, run VibeRank, and enable Score Watch.
- Protected verified domains block non-owner scan and VibeSignal attempts across MCP with
DOMAIN_SCAN_PROTECTED. - The
create_checkout_sessiontool creates allowlisted subscription Checkout Sessions without hardcoded card-only payment methods, so Stripe Dynamic Payment Methods can apply.
Discovery files
Discovery files help compatible clients, agent platforms, and partner systems understand how to call VibeLeak without guessing endpoint shapes, authentication rules, or response formats.
/.well-known/mcp.jsonMCP transport, auth policy, tool list, and input schemas.
/.well-known/agent.jsonAgent-facing VibeLeak capability summary and recommended trust-scan flow.
/openapi.jsonOpenAPI 3.1 contract for the API v1 and MCP endpoint.
/llms.txtAI navigation file linking core docs, discovery surfaces, and machine-readable resources.
/sitemap.xmlCanonical public product, docs, blog, case-study, and policy URLs.
/sitemap-domains.xmlAuto-updating public /site/[domain] trust snapshot sitemap for eligible saved scans.
/robots.txtCrawler policy and sitemap declarations, including both sitemap XML endpoints.
/.well-known/oauth-*OAuth protected-resource and authorization-server metadata for MCP clients using PKCE.
Integration notes
Use the MCP discovery file for agent clients, OAuth metadata for owner authorization, the OpenAPI file for REST integrations, and the sitemap files for crawler discovery. The domain sitemap at /sitemap-domains.xml is the Google Search Console target for indexable public /site/[domain] trust snapshots.
Free scanner
The core scanner is free and live now at 5 scans per day. No account is required to run a scan and see your grade and preview. Full findings, fixes, and Markdown exports are available to signed-in free users for a limited launch window.
Account & sign in
No account is required to use the free scanner — scan public URLs up to 5 times per day immediately, unless a paid verified owner has enabled domain scan protection. During launch, a signed-in free account unlocks full findings, fixes, Markdown export, saved history, token-bound claiming for anonymous runs, and Trust Index controls. Founding Pro/Agency pricing is available monthly or yearly through July 14, 2026, and paid access adds VibeRank, API/MCP owner access, Score Watch, verified-domain scan protection, dashboard monitoring, and grade-change or blocked-scan email alerts when email delivery is enabled.
Sign-in methods
Google OAuth
FastestOne-click sign in with your Google account. No password required. Redirects back to the dashboard after auth.
Magic link
PasswordlessEnter your email and receive a sign-in link. Valid for a single use. No password to remember.
Email + password
ClassicStandard email and password sign-in. Use the same form to create a new account.
What an account gives you
Pro rollout
Pro is live for signed-in accounts. Free scanning remains available at 5 scans per day, while signed-in free access to full findings, fixes, and Markdown export is a limited launch window. The founding offer runs through July 14, 2026: Pro can be locked at $9/month or $90/year, and Agency can be locked at $29/month or $290/year, for the life of the active subscription. Pro adds unlimited full scans, durable full-report access, VibeRank, API keys for API v1 and MCP, paid Score Watch, and verified-domain scan protection while team-oriented workflow continues shipping. Signed-in checkout returns to a clear terminal state: success lands on the dashboard, cancelled checkout returns to pricing with the selected billing cadence preserved.
Read-only public JSON
GET /api/public/scan-summary?domain=example.com returns a small teaser (scan id, grade, counts, saved report URL, public page URL) with no private remediation bodies.
Trend view + deep diff
Watch entries show previous vs current letter grade. Rich per-finding diffs between two arbitrary scans remain roadmap.
Checkout return states
Paid plan checkout returns to /dashboard?checkout=success after payment and /pricing?checkout=cancelled&billing=monthly|yearly after cancellation. Webhooks still control the actual subscription record.
Customer API keys
Shipped for API v1 and MCP owner tools. Create keys from /dashboard/api-keys, scope them to the integration, and revoke them from the same dashboard.
Verified-domain scan protection
Pro/Agency users can verify a domain, enable blocking for that exact domain plus its www alias, and receive at most one blocked-scan email per protected domain every 24 hours.
Early capability access
Agency users get first access to new features and rollout waves, Pro users get the second wave, and Free users keep the stable public scanner.
Agency roadmap
Agency is live as a paid account tier for unlimited scans, VibeRank, durable full-report access, and first access to rollout waves. The client-fleet capabilities below are roadmap items, not fully shipped launch features.
Multi-site + bulk scanning
Queue and run scans across all your client domains from one dashboard.
Team seats + shared reports
Give clients and teammates access to shared scan results without individual logins.
Client-facing report packs
Package findings into branded, client-ready reports with your own formatting.
Priority roadmap input
Direct channel to flag what matters most for your clients' stacks.
The Trust Index
The Trust Index is a living public leaderboard of site security scores at /trust-index. It tracks who's winning the trust game, who improved the most, and what was recently scanned.
Every scan also shows a percentile rank — how your site compares against every other site scanned on VibeLeak. Sites with Grade A or S can opt in to appear in the public Hall of Fame. Signed-in users can also request Trust Index privacy for a scanned domain.
Public Trust Index rows point to an indexable /site/<domain> profile instead of a saved report link. That public profile shows the latest grade, a favicon or monogram, safe sharing tools, and a short grade-aware summary. Perfect 100/100 scores use max-score language; non-perfect S grades can still read as top-tier. Public profiles do not show issue categories, fix instructions, or sensitive scan detail.
Trust Index opt-in — same network required. To opt in, your request must come from the same network/IP context as your originating scan. Shared VPNs, proxies, or IPs from large organizations may not qualify.
The viral mechanic
"Better than 71% of sites scanned this month." — that stat is shown immediately after every scan. It's the Spotify Wrapped mechanic. People share rankings, not raw scores.
Hall of Fame
Sites that earn Grade A or S can opt in to be listed publicly in the Hall of Fame. This is the credibility signal you put in READMEs, pitch decks, and press kits.
Most Improved
The Most Improved tab shows domains that were scanned more than once with the biggest grade jumps. No opt-in required — all public rescans qualify automatically.
The growth loop
The shareable moment is a verified grade lift after fixes ship. Most Improved is the proof that repeated scans moved the public surface, whether the final result is S, A, B, or a smaller but meaningful jump.
Privacy controls
If you scan a domain and do not want it listed in Trust Index views, sign in and use the privacy option on the saved scan result. The domain is hidden from Hall of Fame, Most Improved, and Recently Scanned for 48 hours while ownership proof is pending.
Grade change notifications
Every full scan result has a "Notify me if score changes" option for signed-in users. You'll get notified if the domain's grade shifts on the next configured rescan.
Trust badge
Signed-in users can embed a branded VibeLeak trust badge from a saved full scan — GitHub READMEs, landing pages, footers, pitch decks. The badge uses the saved scan result, renders the VibeLeak mark plus Website Security Grade, and fetches the current grade fresh every hour. API v1 and MCP public grade-card responses also return copy-ready badge HTML and Markdown for the same saved scan.
HTML embed:
<a href="https://www.vibeleak.app/scan/<scan-id>"><img src="https://www.vibeleak.app/api/badge/yourdomain.com?style=terminal&size=md&theme=dark" alt="VibeLeak website security grade" /></a>Embed scanner
Use /embed when you want visitors to run a VibeLeak scan from a partner page, docs page, client portal, or landing page. The widget can run a full trust scan or VibeSignal-only pass inside the iframe, then sends people to VibeLeak for full report actions.
Iframe embed:
<iframe src="https://www.vibeleak.app/embed?mode=full&size=md&chrome=0" title="VibeLeak website scan" width="100%" height="720" loading="lazy" allow="clipboard-write" referrerpolicy="strict-origin-when-cross-origin" style="width:100%;min-height:720px;border:0;background:transparent;"></iframe>