CHANGELOG

Two improvements to scoring and reporting:

• ▸CSP rating calibration: `unsafe-inline` alone in script-src is now rated High (was Critical), matching Mozilla Observatory, OWASP, and Google csp-evaluator. Critical severity is reserved for `unsafe-eval` or proven XSS.
• ▸Cleaner reports: HSTS and clickjacking findings no longer appear twice under different titles in some reports.

You can now upgrade or switch your Pro plan directly from the pricing page or your billing settings — no need to cancel and resubscribe. Upgrades take effect immediately with a prorated charge. Downgrades take effect at your next billing cycle, so you keep your higher limits until then.

When a domain has been scanned recently, you now see those results instantly. No waiting. Verified domain owners and Pro users always get fresh scans on every request.

We rebalanced how grades are calculated. Common best-practice gaps (missing CSP, DNSSEC, SPF, security headers) no longer push your score down as harshly. Critical risks like exposed secrets, open databases, and cloaking still trigger an instant F. Most sites will score 5-10 points higher under the new model.

What changed:

• ▸Severity weights softened: high (-10 → -8), medium (-5 → -3), low (-2 → -1).
• ▸Critical raised slightly (-20 → -25), but more importantly the F cap is now applied LAST in the pipeline so no bonus can bypass it.
• ▸Grade thresholds lowered: A 88+, B 78+, C 65+, D 50+. F is now <50 (or any critical/cloaking finding).
• ▸A+ now requires 95+ score, 2 bonuses, and zero high/critical findings.
• ▸Your last scan has been re-graded automatically with the new methodology.

Read the full methodology at /methodology

Scan accuracy is significantly more trustworthy. When a scanner can't complete (timeout, blocked, or target unreachable), it is now reported as a coverage gap instead of silently passing as "clean", so your score reflects what was actually verified, not what was assumed. Telemetry and reporting have been hardened to match.

Monitoring is now watching the global vulnerability feed for you, not just rescanning your site.

What's new on your Monitoring page:

• ▸Live CVE feed from the NIST National Vulnerability Database — 113+ vulnerabilities tracked, updated nightly.
• ▸"Match Your Stack" counter — we compare every new CVE against the technologies we've detected on your scanned domains, and show only the ones that matter to you.
• ▸Per-domain attribution — when a vulnerability is relevant, you see exactly which of your domains is affected. No more guessing which site to patch.
• ▸New CVE Inventory page (/monitoring/cves) — full list of every matched CVE with severity filters, domain filter, and search.
• ▸Email alerts — the moment a new vulnerability is published that affects your stack, you get an email with the details (Pro) or a heads-up (Free).

Data source: NIST NVD. This product uses the NVD API but is not endorsed or certified by the NVD.

This is our biggest scoring update yet, rebuilt from the ground up after listening to real user feedback.

**What's new**

1. **Fair scoring for sites behind Cloudflare / WAFs.** If our scanner is blocked by active protection, you now earn a bonus - no more getting penalized for doing security right.

2. **Transparent A-F methodology.** Every point is explained on the new /methodology page. No black box, no hidden weights.

3. **Sub-score breakdown.** Every report now shows 7 category gauges (Secrets, Headers, SSL/TLS, Auth, DNS/Email, Database, Dependencies) so you see exactly where to improve.

4. **Peer benchmarking.** Every score shows where you stand against hundreds of real scanned sites ("Beats 87% of scanned sites").

5. **Bonuses toward A+.** HSTS, strict CSP, WAF, rate limiting, and SRI each earn a bonus. Stack them to reach the top grade.

6. **Clear share link.** Turning your report public is now a one-click action at the top of the report - no more hunting for it.

**What this means for your existing reports**

Reports scanned before April 18, 2026 show a small "Scored with methodology v0.9" banner. Your grade was computed under the old rules - rescan the domain to see your current grade under v1.0.

**Why we did this**

Users with Cloudflare kept getting punished for having good security. Users couldn't understand where their score came from. A+ felt meaningless when any clean scan could earn it. We fixed all three.

Thank you for the feedback that shaped this release.

UNPWNED now syncs vulnerability data nightly from the National Vulnerability Database (NVD). Scans automatically detect known CVEs matching your tech stack and version. Pro users get real-time alerts when new vulnerabilities affect previously scanned domains. Free users receive upgrade prompts for full details.

Connect your Cloudflare account to UNPWNED and unlock:

• ▸**One-click domain verification** - No more manual TXT records. Connect Cloudflare and verify your domain instantly.
• ▸**Auto-fix SPF & DMARC** - Found a missing SPF or DMARC record? Click "Auto-Fix" and we'll create it for you via Cloudflare.
• ▸**Inline auto-fix buttons** - SPF/DMARC findings now show an orange "AUTO-FIX" button right in your scan report.

**How to connect:** Go to Settings > Cloudflare Integration, or look for the Cloudflare tab when verifying a domain.

Your API token is encrypted with AES-256-GCM and never leaves our servers.

Added 9 new legal clauses to our Terms of Service: anti-scraping protection, feedback ownership, class action waiver, force majeure, assignment rights, export control and sanctions compliance, publicity rights, severability, and entire agreement. These additions bring our legal framework in line with industry-leading security platforms and provide stronger protections for both UNPWNED and our users.

New scanning policy page with full transparency on what our scans do, how to identify our scanner, and opt-out options for domain owners. Updated Terms of Service with expanded indemnification and scan risk disclosure. Enhanced scan authorization checkbox with clearer legal language.

Setting up monitoring just got way easier.

• ▸Enable weekly monitoring directly from your scan report - one click, no extra steps.
• ▸Full scan monitoring no longer requires domain verification. Just scan and monitor.
• ▸Deep scan monitoring (cloaking detection, HTTP method testing) still requires verification for legal compliance.
• ▸New scan type selector on the Monitoring page: choose between Full and Deep scan monitoring.

Previously, only 1% of users set up monitoring because it required domain verification first. That barrier is gone for standard scans.

**S3 Scanner Fix:** Eliminated false positives where well-known sites received unrealistically low scores. The scanner no longer reports access-denied (403) cloud storage buckets as security findings - only truly accessible buckets are flagged.

**More accurate results:** Scores now better reflect real security posture. Sites that were previously penalized for non-issues will see improved, more realistic grades.

We're excited to announce UNPWNED 2.0 - our biggest update yet.

Here's what's new:

• ▸Deeper scanning engine - even the standard scan now covers more ground and catches more issues
• ▸Improved stability - faster, more reliable scans across the board
• ▸Stronger platform security - we've hardened our infrastructure to keep your data safe
• ▸Better user experience - smoother flows and refined UI throughout
• ▸New knowledge pages - explore our growing library of security guides and resources

This release wouldn't have been possible without you. Your trust, feedback, and support drive everything we build. Thank you for being part of the UNPWNED community.

We're just getting started.

Your first scan now includes the complete Pro experience - detailed findings, fix instructions, compliance readiness, and PDF export. We also upgraded the PDF report design with improved layout and branding. Rate limit scanner improved with 2-phase detection (parallel warmup + sequential probing), broader header recognition, and smart handling of PWA/SPA sites that use catch-all service workers.

Deep scans now detect SEO spam injection and content cloaking. The scanner compares what your site serves to regular visitors vs search engine crawlers (Googlebot), flags suspicious sitemap counts, and identifies hidden text patterns. Available for verified domains only.

The feedback button is now "Support" - ask questions, report bugs, or share ideas and we'll reply by email. Monitoring is now limited per plan: Pro 5 gets 1 domain, Pro 20 gets 5, and Pro 100 gets 15 (domain + GitHub combined).

Major update: You can now schedule automatic security scans of your GitHub repositories. Get alerts via email, webhooks, and automatic GitHub Issues when secrets, vulnerable dependencies, or exposed config files are detected.

New scanning capabilities:

• ▸Config file detection (sensitive files like .env, credentials, private keys)
• ▸4 new deep scan checks added in V1.6 (CVE fingerprinting, error disclosure, form security, open redirect)
• ▸Deep scan reports now visually distinguished with premium design
• ▸Dashboard improvements: real-time last scan time, issues found counter

GitHub Monitoring is available for Pro users in the Monitoring page.

The deep scan engine just got a major upgrade with 4 new security scanners:

• ▸CVE Fingerprinting — Detects server and library versions, matches them against known CVE vulnerabilities. Now you'll see exactly which CVEs affect your stack.
• ▸Error Disclosure Detection — Probes your error handling for stack traces, database errors, and debug info leaks that expose internal architecture to attackers.
• ▸Form Security Audit — Analyzes HTML forms for missing CSRF tokens, insecure password fields, and unsafe form actions.
• ▸Open Redirect Detection — Tests redirect parameters to find phishing vectors that abuse your domain's trust.

Deep scan now runs 34 security checks (up from 30). Upgrade to Pro to unlock all deep scanners.

Email security checks (SPF, DMARC, DKIM) now correctly resolve to the root domain when scanning subdomains. Previously, scanning a subdomain could incorrectly report missing email records. You can now permanently delete your account and all associated data from Settings - fully GDPR compliant. Text readability improved across all marketing pages.

The platform selection step now remembers your choice - returning users skip straight through with one click. You can also switch the fix prompt tool directly from the results page without re-scanning. Fixed an issue where the Terms checkbox could not be tapped on mobile devices during signup.

Dismiss irrelevant findings from your report (Pro). Partial scan banner now shows how to whitelist the scanner. Cloud bucket detection improved to prevent false positives. Signup honeypot fix for browser autofill. Responsive UI improvements on mobile.

Notification cards now expand in-place to show the full message. View button navigates separately for a better reading experience.

Upgraded scoring algorithm for better accuracy, especially for sites behind firewalls or authentication. Added 5 new scanner checks: CORS, rate limiting, cloud storage, source maps, and cookie security. New security badge designs - gold (A+), silver (A), green (B). All existing reports have been recalculated.

30+ security scanners covering headers, DNS, SSL, CSP, CORS, privacy & compliance. AI-powered analysis with actionable fix instructions. Continuous domain monitoring with real-time alerts. Security badges (A+/A/B) to showcase your security score. PDF reports, GitHub integration, and promo code support.