[esamek]

Good article...your service?

You make me sit there and wait for the results of a scan of a website and then don't show me it? You then ask me to create an account to view my 2 "borderline-unsecure" vulnerabilities? Ok, account created with dummy email. Oh whats this? I still can't view the results? I have to upload shit to my production site in order to just view the results? Did you even actually find anything wrong?

I understand the security implications of having someone verify they do indeed own the site scanned...but this bait and switch crap is infuriating. If you are going to go down that route, at least message it somewhere...clearly.

[borski]

You're right regarding the security implications. We can't show vulnerabilities to someone who hasn't verified they own the site they've scanned, unfortunately. We're working on ways to message this better (specifically, having a "Step N of M" with titles for what each step is.

We have some one-off checks that are more 'instant gratification' like our Rails YAML vulnerability check (https://www.tinfoilsecurity.com/railscheck) and we'll be adding more like these in the future.

Sorry you felt it was a bait-and-switch...we'd love to make it up to you. Feel free to email us at support@tinfoilsecurity.com and we'll definitely try to make it right. :)