Changelog - VulWall

April 2026

VulWall is live. Public launch on Product Hunt with a launch-day banner across the site.
Secured by VulWall gallery — a public showcase at /secured-by listing companies running on VulWall. Click a logo to visit the customer's site.
Public changelog — what you're reading now. One page, every release, plain English.
Annual billing for Pro plans.
Knowledge Base — public security articles with business and technical views.
Bulk import organizations from CSV.
Cancel and reactivate your subscription directly from the Plans tab.

Faster Recommendations and Scans pages — parallelized queries and reduced redundant lookups.
Smarter remediation guidance, now powered by Anthropic Claude.
New and Recurring badges on Recommendations to surface what changed since the last scan.
Subdomain children visible to Free users with a clear path to Pro.
Larger Recent Scans page (10 per page, up from 5) and severity accent on each row.
Cleaner, more accurate landing copy and a refreshed Roadmap.
Faster page loads — replaced inline icons with Font Awesome and trimmed CSS.

Email-verification flow occasionally losing the org claim token.
Auth0 callback handling — clearer error pages instead of raw 400s, better recovery from interrupted signups.
Orphan subdomains now appear in the Discoveries tab.
Billing — correct price shown for annual subscribers, working "Switch to Annual" upgrade.
Multi-org users — Payments now resolves the right organization.
Various scanner stability fixes — Shodan quota handling, parent-id repair on subdomain and IP records, transient-DNS resilience.

HMAC-signed scan webhooks between scanner and dashboard.
Asset creation blocks private and reserved IP ranges to prevent SSRF.
Asset type strictly validated — IPs in domain fields and vice-versa are rejected.
Audit log noise reduced: admin actions filtered from customer-facing audit views.
Scan-completion emails suppressed for unclaimed organizations.

The foundation we shipped during private beta, before going public on April 2026.

Knowledge Base — public security articles with separate business and technical views.
Public Security Certificates — share your security score with an embeddable trust badge.
AI remediation guidance — every finding gets context, business impact, and step-by-step fixes powered by Anthropic Claude.
Multi-tenant organizations — invite teammates, switch between orgs, share reports.
Stripe billing — Free and Pro plans with cancel and reactivate from the dashboard.
First-time onboarding tour to walk new users through the dashboard.
Scan heatmap and security timeline to visualise scan history at a glance.

Expanded scanner coverage — HTTP security headers (HSTS, CSP, CORS, security.txt), email security (SPF, DKIM, DMARC, DNS zone transfer), JavaScript dependency vulnerabilities, web technology profiling, WAF detection, and IP/cloud enrichment.
Recalibrated security scoring — deterministic, weighted by source and exploitability, aligned across dashboard, reports, and certificates.
Smarter port scanning — Shodan-first with TCP fallback for faster, more accurate results.
Cron-based scan coordinator with per-org schedules and on-demand triggers.
Audit logging with filtered customer-facing views.

Numerous reliability fixes across the scan pipeline — Redis stream cleanup, race conditions in claim and ingestion flows, false-positive reductions in TestSSL and email security scanners, severity recalibration to match real-world exploitability.

HMAC-SHA256 signed webhooks between scanner and dashboard.
SSRF protection — asset creation blocks private and reserved IP ranges; scanner uses SSRF-safe DNS resolution.
Cryptographically signed claim tokens for organisation ownership transfer.
Hardened Content Security Policy — no inline scripts, restricted connect-src, base-uri and form-action locked down.
Session security — Secure and SameSite cookies, persisted Data Protection keys, 4-hour session timeout.
Open redirect in login return URL fixed.
Containers run as non-root with read-only filesystems where possible.