Skip to main content
VibeAudit All posts

Product

What a Launch Security Pass actually claims (and refuses to claim)

Published 2026-07-09

Security badges have a credibility problem: anyone can paste a shield emoji on a landing page. So when we built the Launch Security Pass, the design goal wasn't to look trustworthy - it was to be checkable by someone who doesn't trust us.

Here's exactly what it is, what it claims, and - just as deliberately - what it refuses to claim.

What it is

A Launch Security Pass is a cryptographically signed credential issued after a VibeAudit scan, included with the US$29/CA$39 Launch Pass. You can embed it as a badge in your README, landing page, or launch post. Anyone who sees it can paste it at vibeaudit.ca/verify, and the verifier checks the signature, freshness, entitlement backing, and the scope that was actually tested - server-side, independent of whatever your site says.

What it claims

One thing: Clear in Verified Scope. The checks VibeAudit ran against the named target passed, within the scope observed, at the time of the scan. Scope is part of the credential - a pass over the external public surface says so, and doesn't pretend to cover what wasn't tested.

What it refuses to claim

  • Not "secure" - no scan can honestly promise that, so the word isn't in the credential.
  • Not "penetration tested" - VibeAudit's deterministic checks are not a human pen test and the pass never implies one.
  • Not permanent - passes carry freshness; a stale pass verifies as stale.
  • Not transferable - the pass is bound to the scanned target, not to whoever embeds the image.

Why the honesty is the feature

A badge that overclaims is worthless the first time someone checks it - and in a market where every scanner name sounds alike, checkability is the differentiator. The pass is our answer to a real question founders get from users, customers, and investors: "did anyone actually look at this before you shipped it?" Now you can answer with something they can verify themselves, instead of asking them to take your word for it.

If a badge claiming to be a VibeAudit pass doesn't verify at vibeaudit.ca/verify, it isn't ours - which is exactly the property that makes the ones that do verify worth showing.

Questions people ask

Can someone fake a Launch Security Pass?
They can copy the image; they can't forge the credential. Verification happens server-side at vibeaudit.ca/verify against the signature, freshness, and entitlement records - a copied badge without a valid credential fails verification.
Does the pass mean my app can't be hacked?
No, and it never says so. It attests that specific checks passed within a verified scope at a point in time - Clear in Verified Scope. Surfaces that weren't tested stay labeled Security Unverified.
How do I keep the pass fresh after launch?
Launch Pass includes manual rescans (rate-limited), and the optional Monthly Watch (US$9/CA$12 per month) adds recurring rescans with a fresh badge plus dependency alerts.

Check your launch, not your luck.

The free Thorough Scan runs against your live URL - severity counts and categories in about a minute, no code upload, no card.

Keep reading