[borski]

You're right regarding the security implications. We can't show vulnerabilities to someone who hasn't verified they own the site they've scanned, unfortunately. We're working on ways to message this better (specifically, having a "Step N of M" with titles for what each step is.

We have some one-off checks that are more 'instant gratification' like our Rails YAML vulnerability check (https://www.tinfoilsecurity.com/railscheck) and we'll be adding more like these in the future.

Sorry you felt it was a bait-and-switch...we'd love to make it up to you. Feel free to email us at support@tinfoilsecurity.com and we'll definitely try to make it right. :)