Why Vulkro never auto-renews
Almost every security tool you can buy is a subscription. You enter a card, a SaaS platform bills it every month or every year, and the charge keeps coming until someone remembers to cancel, finds the right dashboard, and clicks through a retention flow. Vulkro is built the opposite way on purpose.
A per-term license, never auto-billed. When the term lapses, the CLI keeps working at the Free tier and the CVE bundle keeps updating. Renewal is a deliberate decision you make, not a calendar event that happens to you.
How it actually works
- You buy a term, not a subscription. Pro is a fixed term: 30 days, 365 days, or a perpetual Lifetime license. You pay once for that term.
- Nothing auto-bills. There is no stored card quietly charging you next cycle. When a term ends, it ends. We email you, and you decide whether to buy another term.
- The CLI never goes dark. When a Pro term lapses, Vulkro drops to the Free tier and keeps scanning. Your core security scan, secrets, dependency CVEs, broken-auth, injection, and CI integration all keep running.
- The CVE bundle keeps updating on Free. This is the part that matters most. A lapsed scanner does not go dangerously stale: the vulnerability database (OSV + NVD + KEV + EPSS) keeps updating on the same schedule as Pro. We never punish you for not paying by feeding you an outdated advisory list.
- What pauses is detection depth. The Pro detector packs, compliance evidence, the portfolio view, and the heavy output formats are what stop until you buy another term. Pro sells detection depth, not data freshness.
Why we built it this way
Auto-renewal is a trap your procurement team has been burned by
Auto-renewing SaaS lines are the ones nobody owns the cancellation for. They survive headcount changes, they renew on a date no one tracked, and untangling them is its own project. A per-term license that simply expires removes that failure mode entirely. There is nothing to cancel because there is nothing recurring.
A scanner should not hold your safety hostage
If we shut off CVE updates the moment your term lapsed, we would be making your codebase less safe to pressure you into paying. That is the wrong incentive for a security tool. Keeping the CVE bundle current on Free means a lapsed user is still protected against known, in-the-wild vulnerabilities. What they give up is depth, not the data that keeps them out of immediate danger.
Recurring revenue should be earned, not extracted
We are not against people paying us year after year. We are against charging them automatically whether or not the product still earns it. So we frame recurring revenue honestly: it is voluntary funding that ships features faster. Every renewal is a customer deciding, with full information, that the Pro depth is worth another term. That keeps the pressure on us to keep shipping, instead of coasting on a card we already have on file.
This is not a "subscription"
We are deliberate about the word. Calling Vulkro Pro a subscription without the qualifier "no auto-renewal" would erase the one thing that makes it different. It is a per-term license. The contrast with auto-billing SaaS is the point, not a footnote.
The plans
| Plan | Term | Price | Auto-renew? |
|---|---|---|---|
| Free | permanent | $0 | n/a (always free) |
| Pro Monthly | 30 days | $24 | Never |
| Pro Annual | 365 days | $199 | Never |
| Team / Org | 365 days | $599 | Never |
| Lifetime | perpetual (major version) | $349 | Never |
Returning customers renew the annual term at $159/yr, a price that never goes up. See the full pricing page for the feature breakdown and the Salesforce SKU.
In short
You pay for a term, the term expires, and you stay safe in the meantime. When you want the Pro depth back, you buy another term. No stored card, no surprise charge, no retention flow. That is the whole policy.
See also: Pricing, Trust, About, CVE bundle.