FAQ | StackFlag

StackFlag monitors public vulnerability databases (NVD, GHSA, OSV, CISA KEV, EPSS, and Vulnrichment) every hour. When a new vulnerability matches software in your stack, we flag it with a plain-English summary explaining what the problem is, how serious it is, and what you should do about it. Think of it as a security news feed filtered down to only the things that affect you.

No. StackFlag is designed for developers, IT managers, and business owners who are not security specialists. Vulnerability descriptions are rewritten in plain English with clear remediation steps. You describe your software in everyday terms ("we run WordPress on nginx with a PostgreSQL database") and StackFlag handles the technical matching.

After signing up, use the Stack Wizard to describe your software in plain English. StackFlag analyses your description and creates monitors automatically. You can also add monitors manually by searching for specific software names or CVE identifiers. The whole setup takes about two minutes.

We pull from six sources, updated hourly: the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), Open Source Vulnerabilities (OSV), CISA Known Exploited Vulnerabilities (KEV), Exploit Prediction Scoring System (EPSS), and CISA Vulnrichment. This covers the vast majority of publicly disclosed vulnerabilities across all ecosystems.

Yes. StackFlag provides continuous vulnerability monitoring with a triage audit trail (unread, read, acknowledged, dismissed) and timestamped notes. This maps directly to controls in ISO 27001, SOC 2, Cyber Essentials, NIS2, PCI DSS, and NIST 800-53. Your flag history serves as evidence that vulnerabilities were identified, assessed, and actioned.

StackFlag is free during the beta period. All features are available to all users at no cost. We will introduce paid plans in the future, but beta users will be given generous notice and migration terms.

Yes. You can invite team members from Settings. Team members share the same stacks, flags, and alert configurations. Each person gets their own login and can triage flags independently. CC recipients can also be added to individual monitors to receive alert emails without needing an account.

Frequently asked questions

What does StackFlag actually do?

Do I need security expertise to use it?

How do I set up monitoring?

What vulnerability databases do you check?

Can I use StackFlag for compliance evidence?

How much does it cost?

Can I invite my team?