About
Vulkro is built by a human, not a faceless SaaS company. This page is where you find out who that is and why the product is shaped the way it is.
The person behind it
[Founder name]
![Founder photo placeholder - [photo]](/assets/images/og-c146bd09108b5cca7732ac704e18282c.png)
[Founder name] has spent [security background: years, roles, the kinds of systems audited or broken] working in application security. [One or two sentences on the specific experience that made the gaps Vulkro fills personally frustrating: e.g. running SAST that either missed real bugs or drowned teams in false positives, or being told to upload a client's source to a vendor cloud to get a scan.]
Vulkro is the tool [Founder name] wanted to exist and could not buy.
Why closed detectors, but a public benchmark
This is the question that defines the product, and it deserves a straight answer.
The detectors are closed source. The detection engine, the rule implementations, and the CVE bundler are the licensed product. They are not on a public repository, not "source-available," and not forkable. That is a deliberate choice: the value a security scanner delivers is the quality of its detection, and that is the thing we sell. Giving the rule engine away would mean giving away the product.
But closed source creates a trust problem. When you cannot read the detectors, how do you know they actually catch what we claim, without flooding you with false positives? Every closed scanner vendor faces this, and most answer it with marketing: a glossy "99% accuracy" number you have no way to check.
Our answer is the benchmark. Instead of asking you to trust a number, we publish the thing that produces the number:
- The benchmark harness that runs the scan.
- The ground-truth corpus: real, deliberately-vulnerable code with every bug labelled, so "did it catch the bug" has an objective answer.
- The scoring code that turns raw findings into precision, recall, and F1.
You clone the corpus, run the same commands we run, and get the same numbers we publish. On the public corpus that is F1 0.71 for Vulkro against 0.36 for Semgrep CE and 0.49 for Bearer 2.0.2. If we tuned a detector and it regressed, the benchmark would show it, and so would yours.
So the honest framing is not "open source." It is publish the benchmark, ship reproducible results. The detectors stay proprietary; the proof that they work is public and you can re-run it yourself. The benchmark page walks through the methodology in full.
What that means for you
- You can verify the catch rate and false-positive rate before you pay, without us handing over the rule engine.
- You can re-run the benchmark on your own corpus to see whether Vulkro's defaults match your codebase.
- You get a supported, commercial product with a vendor on the hook, not a community project with no one accountable.
How the business is run
Vulkro sells a per-term license with no auto-renewal. We do not auto-bill you, and when a term lapses the CLI keeps working at the Free tier with the CVE bundle still updating. The reasoning, and why we frame recurring revenue as voluntary funding rather than a subscription, is on the why no auto-renewal page.
Get in touch
- Security issues: [email protected] (see the security policy)
- Sales and partnerships: [email protected]
- Everything else: [email protected]
See also: Manifesto, Trust, Benchmark, Why no auto-renewal.