Skip to main content

Methodology v1.3.0

Methodology changelog

Every release that affected scan output. Use this to compare an old report against today's methodology, or to evidence what changed for a procurement review.

Older Vantyris reports carry the methodology version in their footer. Cross- reference that version with the matching entry below to know what the scanner could and could not see at the time. Methodology decisions are documented in /methodology.

  1. 2026-05-25

    Subdomain enumeration (passive)

    v1.3.0

    Added

    Verified scans now include a passive subdomain-discovery pass via Certificate Transparency logs (crt.sh) plus a curated wordlist. Discovered hosts get a DNS A-lookup; only resolving names appear in the report.

    • New scanner module: subdomains (12 in-process modules now, was 11).
    • Output is capped at 100 hosts; wildcard A records surface a separate finding.
    • Sensitive labels (admin, dev, staging, internal, etc.) emit a Medium-severity finding citing the staging-on-public-internet risk.
    • Attack Surface Map gains a Subdomains block.
  2. 2026-05-25

    Premium report transformation (S1-S4)

    v1.2.0

    Extended

    Verified-scan reports gain six new sections: Top Actions, Score Breakdown by Category, Attack Surface Map, Business Risk View, Fix Roadmap, and Methodology. Server-rendered branded PDF replaces the browser-print fallback. CSV gains category / owner / effort / roadmap_bucket columns.

    • Findings now carry typed category (9 axes), owner (7 values), effort (6 values).
    • Eight new in-process scanner modules: DNS depth + DNSSEC + RDAP, email depth (DKIM/BIMI/MTA-STS/TLS-RPT), cookies, tech fingerprint, privacy/GDPR, reputation (Safe Browsing + RBL), supply chain (SRI), sensitive-file exposure (verified-only).
    • ~95 new authored remediation entries (total ~180).
    • New PDF outputs: full report, per-finding work order, Compliance Readiness one-pager.
  3. 2026-05-24

    Workflow + Cyber Essentials alignment + sharing

    v1.1.0

    Extended

    Findings gain workflow state (open / fixed / accepted / ignored / assigned), assignee email, due date, and threaded comments. Cyber Essentials A1-A5 alignment section ships. Public share links and trust pages go live.

    • Finding cards show workflow controls.
    • /share/<token> public viewer in three modes: full, executive, redacted.
    • /trust/<slug> public trust page with controls-in-place matrix.
    • Continuous monitoring enrollment with weekly re-scan and alert email.
    • Workspace API keys + read-only /api/v1/* endpoints.
  4. 2026-05-23

    Initial release

    v1.0.0

    Added

    Four in-process modules - TLS handshake, HTTP security headers, DNS hygiene, email authentication (SPF + DMARC). Editorial scan-report renderer with gauge + radar + plain-English executive summary. 80 authored remediation entries.

    • Teaser: TLS + headers only (free).
    • Verified: 4 modules behind ownership verification.
    • Severity-floor scoring (SSL Labs-style): worst finding caps the grade tier.

Versioning policy

We use semantic versioning at the methodology level. vMAJOR.MINOR.PATCH: