All posts

March 20, 2026 · SafeToShip Team

What Your Security Score Actually Means

SafeToShip gives your app a security score from 0 to 10. Here is how the scoring works, what each grade means, and how to improve your score.

When you scan your site with SafeToShip, you get a score from 0.0 to 10.0 and a letter grade. Here is exactly how that works.

How scoring works

Every scan starts at 10.0, a perfect score. Each security issue we find deducts points based on severity:

| Severity | Points deducted | Example | |----------|----------------|---------| | Critical | -3.0 | Exposed .env file, leaked API key, open database | | High | -1.5 | Missing CSP header, self-signed SSL certificate | | Medium | -0.5 | Missing X-Frame-Options, SameSite cookie issue | | Low | -0.15 | Missing Permissions-Policy, cookie expiry too long |

The score has a floor of 0.0 and cannot go negative. A single critical finding drops you from a 10 to a 7. Two criticals and you are at 4.0 before any other issues are even counted.

What the grades mean

Your score maps to a letter grade:

A (9.0 to 10.0) Excellent. Your app follows security best practices. You are ready to ship with confidence. You qualify for a SafeToShip trust badge.

B (7.0 to 8.9) Good. A few minor issues to address, but nothing critical. You qualify for a trust badge at this level too.

C (5.0 to 6.9) Fair. There are real security gaps that need attention. This is where most AI-built apps land on their first scan. Fixing the high-severity items usually pushes you to a B or A.

D (3.0 to 4.9) Poor. Multiple serious issues. Your app likely has exposed data or missing protections that an attacker could exploit. Fix the critical and high items before sharing your app widely.

F (0.0 to 2.9) Critical. Your app has severe security problems. There may be exposed API keys, open databases, or other issues that need immediate attention. Do not share this app publicly until these are resolved.

The average vibe-coded app scores 4.0 to 6.5

If your first scan comes back as a D or C, you are not alone. Most apps built with AI tools score in this range because the AI optimizes for functionality, not security.

The good news: most issues are straightforward to fix. A typical app can go from a D to a B in an afternoon using the fix prompts.

How to improve your score

The highest-impact fixes, in order:

  1. Fix critical findings first. Each one is worth 3 points. Leaked secrets, open databases, and exposed config files are usually one-line fixes.

  2. Address high findings. Each worth 1.5 points. Adding security headers is often a single configuration change in your middleware or hosting platform.

  3. Clean up mediums. Each worth 0.5 points. Cookie settings, CORS configuration, and email records round out your score.

  4. Rescan after fixing. Your score updates immediately. Many people go from F to B in a single session.

Scan your app now

Curious where your app stands? Paste your URL below and find out in 60 seconds.

Your first scan is free. No account required.

Scan your app now

Find security issues in 60 seconds. Your first scan is free.