Trust
Vulkro is a security tool that runs on your most sensitive asset: your source code. So the bar for trusting it is higher than for ordinary software. This page lays out, concretely, why Vulkro is safe to run, and links to the artifacts that let you verify each claim rather than take our word for it.
1. The architecture: your code never leaves your machine
Vulkro is an offline single binary. The detection engine and the CVE bundle both live inside it and run locally.
- No source upload, ever. There is no cloud analysis tier, no "optional" feature that uploads code for deeper scanning. The analysis happens on your machine.
- No telemetry. No usage pings, no crash reports, no feature analytics. This is not a configuration toggle you have to find and disable: the binary has no code path that sends a diagnostic home.
- No account. You do not log in to scan. A Pro license is a signed file bound to your machine and verified locally.
- Enforceable air-gap.
VULKRO_OFFLINE=1makes the process perform zero network calls at the process boundary. The only network call Vulkro makes by default is the signed CVE bundle fetch from our CDN, and that is opt-out. For a disconnected machine, deliver bundles by USB, mirror, or internal feed. See the air-gap install guide.
The full statement of what the binary does and does not transmit is in the privacy policy.
2. The benchmark: reproducible, not vendor-published
We do not ask you to trust accuracy claims. Vulkro publishes the benchmark harness, the ground-truth corpus, and the scoring code. On the public corpus (10 deliberately-vulnerable codebases, 55 catalogued bugs, scored at the default high-confidence setting):
| Vulkro | Semgrep CE | Bearer 2.0.2 | |
|---|---|---|---|
| Precision | 0.77 | 0.76 | 0.50 |
| Recall | 0.65 | 0.24 | 0.47 |
| F1 score | 0.71 | 0.36 | 0.49 |
Clone the corpus, run the same commands, get the same numbers. The benchmark methodology documents the corpus, the scoring rules, and the exact commands.
This is the honest positioning: Vulkro's detectors are closed source (the detection engine is the licensed product), but the benchmark that measures them is public and reproducible. We compete on verifiable results, not on source openness.
3. Signed builds and checksums
Released binaries are published with checksums so you can verify the artifact you downloaded matches the one we shipped.
- Checksums. Each release ships a checksums manifest alongside the platform binaries.
- Build provenance (planned). Cryptographic build provenance via cosign / SLSA is on the roadmap: signed attestations that tie each binary back to the exact source and build that produced it.
4. A self-SBOM of the Vulkro binary
Vulkro generates software bills of materials for the code you scan. We hold ourselves to the same standard: a self-SBOM of the Vulkro binary, generated with Vulkro's own CycloneDX / SPDX output, lists the third-party components inside the scanner itself.
The SBOM is produced by the same CycloneDX and SPDX exporters that Pro users run against their own projects, so its format and fidelity are exactly what you would get from Vulkro on your code.
5. Reporting a vulnerability
Found a security issue in Vulkro itself? Our coordinated-disclosure
policy, security contact, and response commitment are on the
security page, and the machine-readable contact is at
/.well-known/security.txt.
See also: Security policy, Privacy policy, Benchmark, Air-gap install, Why no auto-renewal.