Accesseon is now part of Stackproof, our new trust, security, and compliance platform for vibe-coded apps.Learn more β†’Your Accesseon subscription and scans are unchanged.
Stackproof
LoginFree Scan

Public methodology

How the Trust Score is computed

This page is the single source of truth for the Accesseon Trust Score. Every change ships with a changelog entry and we never silently rescore customers. Every scan stores the algorithm version it was scored under so historical scores stay comparable to themselves.

Formula

TrustScore = sum over modules m in version V of
    ModuleScore(m) * NormalizedWeight(m, V)

ModuleScore(m) = max(0, min(100,
    100 - 25 * count(m.critical)
        - 10 * count(m.high)
        -  3 * count(m.medium)
        -  0.5 * count(m.low)
))

NormalizedWeight(m, V) =
    Weight(m, V) / sum over successful modules of Weight(n, V)

Modules that failed or were not run drop out of the composite; the remaining weights renormalize so partial scans still produce a comparable score.

Dimensions

Accessibility

Full axe-core scan against WCAG 2.0, 2.1, 2.2 A + AA, Section 508 (US), EN-301-549 (EU), and W3C ACT. AAA rules are excluded by default because no major jurisdiction mandates them and they generate noise. Color-contrast and a handful of other rules are flagged as 'needs review' because automated tooling has known false positives there.

Security

Supabase Row Level Security audit using the customer's own anon key. We probe the three tables most commonly misconfigured in vibe-coded apps (profiles, users, orders). Matches the CVE-2025-48757 pattern. Service-role keys are rejected at the settings layer - we only accept anon keys.

Performance

Navigation-timing metrics: Time to First Byte, First Contentful Paint, Largest Contentful Paint. Plus transfer size and resource count. Thresholds follow Google's 'good / needs improvement / poor' Core Web Vitals bands.

AI Compliance

Heuristic checks for EU AI Act Article 50 disclosure (when a chatbot is detected), subprocessor disclosure (when third-party AI APIs are called from the client), GDPR DPA availability, and Product Liability Directive readiness (security.txt per RFC 9116, published SLA).

Runtime Behavior (gated)

Authenticated IDOR probes, rate-limit checks, XSS reflection tests, session-cookie hygiene. Does not run until DNS-TXT ownership proof, ToS active-testing clauses, hard scheduling limits, and cyber/E&O insurance are all in place.

Version changelog

v0.3 (Current)

accessibility
0.25
security
0.35
performance
0.15
ai compliance
0.25

Four-dimension composite. Accessibility continues to use axe-core + WCAG 2.2 + EN-301-549 + Section 508. Security adds a customer-credential Supabase RLS audit. Performance measures Core Web Vitals + transfer size + request count. AI Compliance checks EU AI Act Article 50, subprocessor disclosure, GDPR DPA availability, and Product Liability Directive readiness (security.txt, published SLA).

v0.2 (Pre-v0.3)

accessibility
0.40
security
0.40
performance
0.20

Three-dimension composite. Preserved for historical score comparability.

v0.1 (MVP)

accessibility
0.55
security
0.45

Two-dimension launch version. Preserved for historical score comparability.

v1.0 (planned) (Gated on legal + insurance)

accessibility
0.20
security
0.35
performance
0.15
ai compliance
0.20
runtime
0.10

Adds the Runtime Behavior module (authenticated IDOR probes, rate-limit checks, session-cookie hygiene). Does not ship until DNS-TXT ownership proof, active-testing ToS clauses, hard rate limits, and cyber/E&O insurance are all in place.

What the score does not guarantee

  • A high Trust Score is not a guarantee against all vulnerabilities.
  • We test what we can automate. Business-logic flaws require human review.
  • The score reflects the application at scan time, not at every moment in between.
  • Public verification pages show the score only - never the underlying findings.

Want to verify a specific site's score? Scan it now.