Synced 16 Jun 2026 15:24 UTC Account
← Home

Trust & privacy

What we do — and deliberately don't — do with data · last updated June 2026

IsItPatched is a defender's tool. It exists to help you patch faster, not to help anyone attack. This page explains, in plain terms, why a public vulnerability dashboard doesn't expose you — and exactly what happens to any data you give us.

1. We never know what you run

The products you monitor in My Stack are saved only in your browser (local storage) — they never reach our servers. We hold no profile of you, your company, or your software estate. There is simply no inventory for anyone to leak, subpoena, or steal, because we never collect one.

2. We don't link companies to software — and that's the whole point

A targeted attack needs two facts: "company A uses software X" and "software X is vulnerable."

  • "Software X is vulnerable" is already public in NVD and CISA's catalogues — with or without us. We add nothing an attacker doesn't already have.
  • "Company A uses software X" is the sensitive half — and IsItPatched never reveals it. We only ever publish information about software, never about who uses it.

So we are not a blueprint for attacking anyone. We're a clear, plain-English layer on top of data defenders often struggle to read and attackers already weaponise.

3. What we publish — and what we never will

  • We publish: whether a version is affected, how severe it is, whether it's being exploited, and the safe version to upgrade to — always pointing you toward the fix.
  • We never publish: exploit code, proof-of-concept payloads, or step-by-step exploitation guides. For remediation detail we link to the official vendor advisory.

4. Your email alerts

Email is entirely optional and opt-in. Nothing is ever sent unless you choose it. The notifications you can switch on:

  • Stack alerts — emailed when a product you monitor in My Stack becomes actively exploited (CISA KEV) or reaches end-of-life.
  • Critical-CVE summary (optional add-on) — also hear about new critical CVEs in your stack, not just exploited ones.
  • SBOM monitoring — emailed when a new vulnerability appears in components from an SBOM you opted to monitor.

Every one is double opt-in (you confirm by link) and unsubscribable in one click. Here's the complete data picture:

  • We store only your email address and the product names you chose to watch — nothing about your systems, IPs or company.
  • Passwordless & double opt-in — you confirm via a link, so nobody can sign up an address they don't control.
  • Locked to our servers — the database denies all public access; only our server-side functions can read or write it. (Watching software is an interest, not proof you run it — but we protect it as if it were sensitive anyway.)
  • Processed in the EU, and you can unsubscribe or be erased at any time, one click.
  • SBOM monitoring is opt-in. The SBOM scanner is private by default — your file is parsed in your browser and never uploaded. Only if you explicitly tick "monitor this SBOM" do we store the component coordinates (package name + version) and your email, so we can alert you when a new vulnerability appears. That is the one case where we keep a component list — by your double-opt-in consent — and unsubscribing erases it.

5. How the site itself is built

  • No secrets in your browser — every build is automatically checked to ensure no API key or credential can ship to the client.
  • Deny-by-default data access, server-side keys only, all output escaped, served over HTTPS with a strict content-security policy.
  • No accounts, no passwords to breach, and analytics only with your consent.

Frequently asked

Does IsItPatched track what software my company uses?

No. The list of products you monitor ("My Stack") is saved only in your own browser and never reaches our servers. We have no record of who you are or what you run.

Could a hacker use IsItPatched to find out a company is vulnerable?

No. IsItPatched only publishes "software X has vulnerability Y" — information already public in NVD and CISA. It never publishes "company A uses software X". That linkage, which is the part an attacker would need, is something we neither collect nor expose.

Is the vulnerability data on IsItPatched public?

Yes. Every CVE, severity, exploitation status and end-of-life date comes from free, authoritative public sources — NVD, CISA KEV, EPSS and endoflife.date. We aggregate and explain that data; we do not reveal anything secret.

Does IsItPatched publish exploit code or hacking instructions?

No. We tell you what to patch and which version is safe, and link to the official vendor advisory. We never publish exploit code, proof-of-concept payloads or step-by-step exploitation instructions.

Is it safe to subscribe to email alerts?

Yes. Alerts are passwordless and double opt-in, we store only your email and the product names you chose, that data is locked to our servers (public access is denied at the database level), it is processed in the EU, and you can unsubscribe or be erased at any time.

More detail: Privacy policy · Methodology · Disclaimer. Questions? Get in touch →