What this badge actually means.

What it means

A live Kleared badge means a repo passed our scan suite within the last billing period and the score sits above the dismissal threshold. The score is computed against open findings only — once a fix-PR lands, the score climbs.

What it does not mean: that the app is unhackable, that the team is SOC2-certified, or that we audited the human factor. It means a defined set of automated scanners ran, and the team either fixed or accepted every issue above the threshold.

How to verify it yourself

Every badge ships with an Ed25519 signature over the canonical payload. The public key is committed to the Kleared web repo — not held by Kleared the company. Here's the three-step verify:

1. Fetch the public key: https://kleared.app/keys/v1.pub
2. Visit the badge page at https://verified.kleared.app/<slug> and expand “Show payload + signature.”
3. Run openssl pkeyutl -verify (or any Ed25519 library) against the canonical bytes — keys sorted, JSON stringified, base64-decoded signature.

If the signature doesn't verify, the page tells you so directly and refuses to render the “verified” tone. Trust no one, including us.

Why we sign it instead of just hosting it

A page hosted on verified.kleared.app only proves that we say a repo is clean. The signature lets a customer point at the badge and say “here's a math-grade proof, not just a screenshot.” Anyone can copy a screenshot. Nobody can forge an Ed25519 signature without our private key.

The private key lives in a managed secrets store (not a developer laptop), and key rotation is supported via versioned identifiers (v1, v2...) so existing badges keep verifying after a roll.