Scope
This advisory documents the Phase 4 acquisition hardening pass and the controls currently enforced in production.
Control set
1) Public-safe acquisition endpoint
Acquisition scans are exposed through a public-safe surface:
POST /api/public/acquisition/scanGET /api/public/acquisition/results/{scan_id}
The response intentionally limits detail to trust score, top finding summaries, and shareable trust-card links.
2) Abuse control
Public acquisition scans are bounded by a sliding-window rate limiter on caller IP.
Key behaviors:
- Per-IP rate limiting on quick scan submission
- Explicit
429with retry metadata when limit is exceeded - No bypass path through client-side state
3) Share loop and upgrade handoff
Every acquisition scan emits:
- Public trust-card URL (
/acquire/{scan_id}) - Workflow deep link (
/dashboard/workflow) - Upgrade CTA with return path to workflow
This keeps acquisition and investigation flows connected without removing existing production paths.
4) Conversion-event contract
Client instrumentation uses a fixed event taxonomy, including:
quick_scan_startedquick_scan_completedfirst_scantrust_card_viewedtrust_card_sharedbadge_copied- workflow and upgrade transition events
Critical events enforce identity requirements server-side for reliable conversion math.
Evidence links
- Production acquisition route: https://www.vigile.dev/acquire
- Production workflow route: https://www.vigile.dev/dashboard/workflow
- API health: https://api.vigile.dev/health
- Deployment PRs: vigile-api#7, vigile-web#28
Current watch items
- Conversion event stability remains under active verification, with a production stability patch in progress.
- Acquisition gate decisions are reviewed weekly to ensure keep, change, or remove actions are evidence-driven.
Why this matters
Security tooling adoption starts at trust. The acquisition path is now constrained, measurable, and linked to investigation workflows rather than isolated scoring pages.