/ roadmap
Roadmap
Updated 2026-06 for v2.3.0. The full ROADMAP.md lives in the repo.
✓ Shipped
v2.3.0 (Round-65)
2026-05-24Group C — 10 AI-triage features (opt-in, behind Advanced AI options panel). Opt-in transparent local-first usage analytics.
v2.2.0 (Round-64)
2026-05-24165 features across 18 groups: active exploit verification, continuous monitors, 10-provider threat-intel federation, SLSA L3 signed releases, 26 new attack-surface checks, enterprise mode, 9 distribution channels.
v2.1.0 (Round-63)
2026-05-238-source nightly CVE aggregator.
v2.0.0 (Round-62)
2026-05-20AGPLv3 relicense. WP companion plugin. 15 compliance frameworks.
⏳ In progress (next 30 days)
- • Real third-party security audit (RFI to PFI firms)
- • OpenSSF Scorecard score > 7.0
- • Public release on PyPI with PEP 740 Sigstore attestations
- • React Native + Capacitor mobile clients (currently scaffolded)
📅 Q3 2026 (v2.4.0)
- • Kubernetes operator implementation (currently scaffolded)
- • Distributed coordinator across N workers
- • Spanish + German GUI localisation completion
- • Check marketplace (third-party check signing + community trust score)
📅 Q4 2026 (v3.0.0)
- • EV code-signing certificate (Defender FP elimination)
- • E&O insurance program
- • Third-party audit report published
- • Annual State of WP Security report (inaugural edition)
✗ Things we will NOT do
- • Add telemetry that's not opt-in (PROMISE)
- • Move to a paid-only model — the open-source scanner stays open
- • Accept code from PRs without unit tests
- • Add JS-runtime requirements to the .exe distribution (keeps Defender FP rate low)
Influence the roadmap
Tell us what you'd find most useful. Direct line to the maintainer.