Cross-platform identity (Pro) — the scorecard now surfaces forges where the contributor publishes the same SSH public key as on GitHub: GitLab, Codeberg, Sourcehut. Same private key signs operations on multiple platforms, so this is T1 cryptographic confidence — the strongest cross-platform identity signal available, far stronger than declared-link or username matches. Same handle assumed across forges (v1 limitation). Bitbucket has no public keys endpoint; GPG fingerprint matching deferred. Cached weekly.
May 3, 2026 v0.25
Stack Overflow reputation (Starter+) — when the contributor's GitHub bio or blog declares a stackoverflow.com/users/{id} link, the scorecard now surfaces their SO reputation, badge counts (gold / silver / bronze), and account age. Cross-platform credibility signal at T2 confidence (declared link). Cached weekly to stay well under the SE Data API's 300/day per-IP quota; optional DEVTRACE_SO_API_KEY lifts that to 10000/day.
May 3, 2026 v0.23
Package Publisher detection (Starter+) — the contributor scorecard now surfaces npm packages this contributor publishes under their handle, including aggregate count and a top-N list with package names, roles, and registry links. Strong supply-chain credibility signal: a write-role relationship with widely-used packages is one of the few user-attested identities downstream consumers actually depend on. Cached weekly. PyPI is a planned follow-up (no public reverse-lookup API today).
May 2, 2026 v0.22
OSSF Scorecard (Starter+) — when a repo is provided in the score request (?repo=owner/name), the contributor scorecard now surfaces the OpenSSF Scorecard assessment for that repo: aggregate score (0–10) plus per-check results for Code-Review, Branch-Protection, Maintained, Vulnerabilities, Token-Permissions, Fuzzing, SAST, and others.
Security credits (Starter+) — the contributor scorecard now surfaces GitHub Security Advisory credits where the contributor is listed as reporter, fixer, analyst, or other role.
Enrichment on the scorecard — the contributor scorecard now displays lifetime activity tiles (PRs, reviews, issue comments, active days), reciprocity ratios (reviews per PR, issue close rate), top repositories the contributor engages with, owned-repo summary with language footprint, and linked external accounts (Twitter/X, Mastodon, LinkedIn, personal sites, etc.).
May 2, 2026 v0.19
Profile email surfaced — the contributor's public GitHub profile email is now included in enrichment.emails alongside any addresses found in bio or blog text. Previously only bio-embedded emails were captured, missing the most common case.
Personal-site classification — URLs with a path component on a non-platform host (e.g. https://example.com/blog/post) now correctly classify as personal_site instead of falling through to unknown.
Profile enrichment — the scoring API and contributor scorecard now surface lifetime activity, top contributed repositories, owned repos with language footprint, reciprocity ratios (reviews per PR, issue close rate), and linked external accounts detected from the contributor's bio and website (Twitter/X, Mastodon, LinkedIn, GitLab, and more), classified by platform.
Watchlists with email digests — subscribe to contributors or organizations and receive weekly email digests covering score changes and new activity. Includes a dashboard widget with server-side search and per-column filters, per-plan retention windows, and RFC 8058 one-click unsubscribe.
Compliance page — new /compliance page documenting the NIST SSDF and EU CRA practice mappings; contributor scorecards now annotate which signals satisfy which practice for at-a-glance audit context.
Expanded bot detection — merge, CI, and automation accounts (Mergify, Kodiak, CodeRabbit, semantic-release-bot, and others) are now correctly excluded from contributor scoring.
Refreshed landing page, social-share previews (Open Graph, Twitter cards), and assorted performance, security, and usability improvements across the dashboard and scoring pipeline.
April 18, 2026 v0.16
Compliance reports (Pro) — Pro plan now includes compliance report generation aligned with NIST SP 800-218 (SSDF) and EU Cyber Resilience Act requirements for contributor provenance audits.
Score with repo context — pass ?repo=owner/name to the scoring API or UI to get repository-specific signals like commit count, org membership, and author association.
Score history API — /api/v1/score/{username}/history endpoint returns historical scores for trend analysis, with retention windows tied to your plan (30/90/365 days).
Contact support — signed-in users can now reach support directly from the Help page without leaving the app.
Performance, security, and usability improvements across the dashboard, settings, and scoring pipeline.