Tools

Tools: Latest: I built a CVE patch-ops tool for indie SaaS shops in a weekend (open scan, honest comparison vs vuls.io)

2026-05-01 0 views admin
Tools: Latest: I built a CVE patch-ops tool for indie SaaS shops in a weekend (open scan, honest comparison vs vuls.io)

I built a CVE patch-ops tool for indie SaaS shops in a weekend (open scan, honest comparison vs vuls.io)

The free quickscan: 5 seconds, 0 signup

Architecture: file-based, Python stdlib, no DB

The killer workflow: the public audit URL

Honest vs vuls.io

What V1 doesn't do

Pricing: $99 lifetime for the first 50

Try it Last week Hostinger emailed every customer about CVE-2026-31431 — the "Copy Fail" Linux kernel local-privilege-escalation. A 732-byte Python script gets root via algif_aead AF_ALG + splice(). Every kernel between 2017 and the upstream fix in early 2026. I run a one-person SaaS on a Hostinger VPS. I read the advisory, dropped a modprobe blacklist, and was patched in 30 minutes. Then I realized: most indie SaaS founders running their own boxes wouldn't read that email until tomorrow. Some would never read it at all. Patch ops for the indie-SaaS tier doesn't exist. vuls.io is great if you have a security engineer with half a day. Enterprise tools are unaffordable. The gap is "I have 1–10 Linux servers, I know I should patch, the workflow is too annoying to do consistently." So I built StackPatch — curl https://mindsparkstack.com/scan.sh | bash for a free anonymous CVE check, $99 lifetime founder seat for hourly monitoring with a public audit URL. This post is the build log: architecture, the honest vs-vuls comparison, and the bash one-liner you can run on your VPS in five seconds to see what it does. The script reads /etc/os-release, uname -r, the top 200 packages from dpkg-query, and POSTs them to a public API. The API runs the live USN feed (Ubuntu) and the Debian Security Tracker (~110K fix-records across bookworm/trixie/bullseye) against your inventory using dpkg --compare-versions, returns matching CVEs with the exact remediation command. The source is served as text/plain so you can curl https://mindsparkstack.com/scan.sh and read it before piping to bash. No persistent state server-side beyond a 5-min cache. No identifying info collected (no hostname, no IP, no env vars). On a real noble box with openssh-client 1:9.6p1-3ubuntu13.10: That's the demo. Five seconds, real CVEs, exact commands. The whole backend is JSONL files on disk + cron + a small Next.js layer. There's no Postgres. There's no Kubernetes. The matcher is one Python script: A few details that mattered: Inventory + matcher run on three crons: That's the whole thing. The Next.js layer is a thin wrapper that exposes: This is what I didn't see in any other tool. Every monitored server gets a URL like: https://mindsparkstack.com/patch/audit/mss-vps It shows current findings, applied mitigations, recent resolutions, package counts, kernel state. Updates hourly. Customers (or your customers' enterprise prospects) can verify your security posture without an NDA, without a stale PDF. When a $3K/year customer asks "how do you handle server security updates?" — you send the link. Done. This isn't a security scanner. It's a security-response receipt. That distinction is the whole reason the product exists. vuls.io is the obvious comparison. It's free, OSS, mature since 2016, 10K+ GitHub stars, supports Ubuntu/Debian/RHEL/CentOS/Amazon Linux/openSUSE/Alpine/FreeBSD/Windows. I built /patch/vs-vuls as an honest 12-row green/red/grey side-by-side. Honest enough that the page actively recommends vuls.io if you fit those constraints: Pick StackPatch instead if: If a Sunday-afternoon scanner project sounds fun: vuls.io. If you want to be patched and provably so by tomorrow morning: StackPatch. I'm not going to lie about the gaps: If any of those are dealbreakers, vuls.io or an enterprise tool is the right call. There's no growth-hack reason for the lifetime price. It's a forcing function — a recurring-revenue product is cheaper for me long-term but it lets me delay shipping. Lifetime sales mean I have to keep adding founders, which means I have to keep shipping. Comments welcome — what's missing, what's wrong, what would make you switch from vuls.io. I read everything. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 500;">curl https://mindsparkstack.com/scan.sh | bash -weight: 500;">curl https://mindsparkstack.com/scan.sh | bash -weight: 500;">curl https://mindsparkstack.com/scan.sh | bash === StackPatch quickscan === distro: ubuntu codename: noble kernel: 6.8.0-100-generic packages: 187 ⚠️ 2 active CVE matches on your stack right now (worst: high). Run the recommended commands above. To monitor every server hourly... [HIGH] CVE-2026-31431 Linux kernel "Copy Fail" — local-priv-esc via algif_aead why: Linux kernel local-priv-esc; 732-byte Python script gets root... match: Running kernel: 6.8.0-100-generic recommend: Apply persistent modprobe blacklist for algif_aead now... [HIGH] USN-8222-1 OpenSSH 9.6p1 vulnerabilities match: openssh-client: installed 1:9.6p1-3ubuntu13.10 < fixed 1:9.6p1-3ubuntu13.16 recommend: -weight: 600;">sudo -weight: 500;">apt-get -weight: 500;">install --only--weight: 500;">upgrade -y openssh-client === StackPatch quickscan === distro: ubuntu codename: noble kernel: 6.8.0-100-generic packages: 187 ⚠️ 2 active CVE matches on your stack right now (worst: high). Run the recommended commands above. To monitor every server hourly... [HIGH] CVE-2026-31431 Linux kernel "Copy Fail" — local-priv-esc via algif_aead why: Linux kernel local-priv-esc; 732-byte Python script gets root... match: Running kernel: 6.8.0-100-generic recommend: Apply persistent modprobe blacklist for algif_aead now... [HIGH] USN-8222-1 OpenSSH 9.6p1 vulnerabilities match: openssh-client: installed 1:9.6p1-3ubuntu13.10 < fixed 1:9.6p1-3ubuntu13.16 recommend: -weight: 600;">sudo -weight: 500;">apt-get -weight: 500;">install --only--weight: 500;">upgrade -y openssh-client === StackPatch quickscan === distro: ubuntu codename: noble kernel: 6.8.0-100-generic packages: 187 ⚠️ 2 active CVE matches on your stack right now (worst: high). Run the recommended commands above. To monitor every server hourly... [HIGH] CVE-2026-31431 Linux kernel "Copy Fail" — local-priv-esc via algif_aead why: Linux kernel local-priv-esc; 732-byte Python script gets root... match: Running kernel: 6.8.0-100-generic recommend: Apply persistent modprobe blacklist for algif_aead now... [HIGH] USN-8222-1 OpenSSH 9.6p1 vulnerabilities match: openssh-client: installed 1:9.6p1-3ubuntu13.10 < fixed 1:9.6p1-3ubuntu13.16 recommend: -weight: 600;">sudo -weight: 500;">apt-get -weight: 500;">install --only--weight: 500;">upgrade -y openssh-client # Pseudocode of the matcher join for usn in cached_usns: for pkg in usn.release_packages[user_codename]: installed = user_inventory.packages.get(pkg.name) if installed and dpkg_lt(installed, pkg.fixed): yield Finding(usn, pkg, installed, fixed) # Pseudocode of the matcher join for usn in cached_usns: for pkg in usn.release_packages[user_codename]: installed = user_inventory.packages.get(pkg.name) if installed and dpkg_lt(installed, pkg.fixed): yield Finding(usn, pkg, installed, fixed) # Pseudocode of the matcher join for usn in cached_usns: for pkg in usn.release_packages[user_codename]: installed = user_inventory.packages.get(pkg.name) if installed and dpkg_lt(installed, pkg.fixed): yield Finding(usn, pkg, installed, fixed) 3 * * * * inventory (reads /etc/os-release, uname, dpkg, -weight: 500;">docker, ports, modprobe) 23,53 * * * * USN poll (Ubuntu Security Notices feed, twice hourly) 0 4 * * * DSA poll (Debian Security Tracker, daily — file is huge) 33 * * * * matcher (joins inventory × USN × DSA, writes findings JSONL) 40 * * * * alerts (emails customers when findings change) 3 * * * * inventory (reads /etc/os-release, uname, dpkg, -weight: 500;">docker, ports, modprobe) 23,53 * * * * USN poll (Ubuntu Security Notices feed, twice hourly) 0 4 * * * DSA poll (Debian Security Tracker, daily — file is huge) 33 * * * * matcher (joins inventory × USN × DSA, writes findings JSONL) 40 * * * * alerts (emails customers when findings change) 3 * * * * inventory (reads /etc/os-release, uname, dpkg, -weight: 500;">docker, ports, modprobe) 23,53 * * * * USN poll (Ubuntu Security Notices feed, twice hourly) 0 4 * * * DSA poll (Debian Security Tracker, daily — file is huge) 33 * * * * matcher (joins inventory × USN × DSA, writes findings JSONL) 40 * * * * alerts (emails customers when findings change) -weight: 500;">curl https://mindsparkstack.com/scan.sh | bash -weight: 500;">curl https://mindsparkstack.com/scan.sh | bash -weight: 500;">curl https://mindsparkstack.com/scan.sh | bash - Use dpkg --compare-versions for Debian-policy-correct version comparison. Lexicographic compare is wrong for 1:9.6p1-3ubuntu13.10 vs 1:9.6p1-3ubuntu13.16 (lex says "10" > "16"). Spawning dpkg once per pair is cheap. - Pre-filter by codename. USN release_packages is keyed by noble | jammy | focal | bionic. Reading the user's /etc/os-release VERSION_CODENAME upfront lets the matcher skip 90% of records. - Cap the USN window. I scan the last 200 USNs (sorted by ID). Older ones are fine to stale; if a 2017 USN matters to your 2024 box, you have bigger problems. - Debian Security Tracker is huge. The tracker.json is 70 MB with 36K fix-records per release. I pre-build per-codename indexes ({package: [{cve, fixed_version, urgency}]}) once daily so the matcher loads ~12 MB instead of 70 MB per request. - /api/stackpatch/quickscan — anonymous POST, returns matches in <1s - /api/stackpatch/enroll — paid customer enrolls a server with a token, returns audit URL - /api/stackpatch/inventory — authenticated inventory POST from the agent - /patch/audit/<slug> — public posture page per server - You have a security engineer with half a day to set up go-cve-dictionary + goval-dictionary + gost + cve-search and rebuild them on cron - You need FreeBSD / Windows / openSUSE support - Compliance forbids any package data leaving your network - You're a one-person SaaS shop with 1–10 boxes on Ubuntu, Debian, Alpine, AlmaLinux, or Rocky Linux - You want the answer in 5 minutes, not half a day - You want the exact -weight: 500;">apt / -weight: 500;">apk / -weight: 500;">dnf / kernel-reboot / modprobe-blacklist one-liner, not just a CVE link - You want a public audit URL for sales due diligence - No FreeBSD / Windows / openSUSE yet (V1+ covers Ubuntu, Debian, Alpine, AlmaLinux, Rocky Linux — 18 release versions across those 5 distros, 41K unique CVEs cross-indexed from USN + DSA + Alpine secdb + OSV-rpm + NVD) - No auto-apply (deliberate — you should review the command, security-product trust is fragile) - No multi-user RBAC, no SSO, no compliance attestations (this is for solo founders, not security teams) - No Kubernetes (out of scope for V1; you're not running k8s on a $5/mo VPS anyway) - No SLA on remediation (we tell you the command; you run it) - Free quickscan: anonymous, no signup, no limits. Run it on as many boxes as you like. - $99 lifetime founder seat: 3 servers, hourly monitoring, real-time email alerts, public audit URL, every V2+ feature included. 50 only, then it's a monthly subscription tier.

🏷️ Tags

toolsutilitiessecurity toolslatestbuiltpatchindieshopsweekendhonest

More from Tools

Tools: Research PoC to Redteam Toolkit: Hardening CVE-2026-31431 for Production Operations From (Update 2)

Tools: Research PoC to Redteam Toolkit: Hardening CVE-2026-31431 for Production Operations From (Update 2)

2026-05-01 0
Tools: 4 Linux Hardening Labs for Cybersecurity Engineers: Tmpfs, Ports, Boot, and UFW - 2025 Update

Tools: 4 Linux Hardening Labs for Cybersecurity Engineers: Tmpfs, Ports, Boot, and UFW - 2025 Update

2026-05-01 0
Tools: Landlock LSM: Der ultimative Schutz vor Root-Privilegien (2026)

Tools: Landlock LSM: Der ultimative Schutz vor Root-Privilegien (2026)

2026-05-01 0
Tools: Latest: How to Deploy Llama 3.2 with vLLM + Ray Distributed Inference on a $18/Month DigitalOcean GPU Droplet: Multi-GPU Scaling at 1/120th API Cost

Tools: Latest: How to Deploy Llama 3.2 with vLLM + Ray Distributed Inference on a $18/Month DigitalOcean GPU Droplet: Multi-GPU Scaling at 1/120th API Cost

2026-05-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views