Very useful list. None of these have anything running as a service you can try out easily, I guess that would be a Bad Idea anyway as this kind of tools might either accidentally cause stuff to happen to a server, or be used as part of an attack. I guess script youngsters will not be very much deterred by having to install e.g. a python or ruby library - but any lazy bum that drops the idea to scan some elses site is a win.
"give us your email, give us your email, give us your email" on the first page isn't very welcoming, it sounds desperate. I can wait a short while for a scan (I came for the scan, not to give you my email address - what are you going to do with it, by the way?)
The scan returns 3 vulnerabilities - I have to create an account to see them. Alright, it's a "security company" (even though I've never heard of it before), how bad can it get? I have good spam filters anyway, whatever.
After creating the account, I have to verify I am the owner (this is a good thing!). I choose the meta tag option - it's broken, and the error is at the top of the page, not at the bottom where I have clicked "Verify". The link in the error doesn't even work.
So, I upload the HTML file, and proceed to my report, where the 3 vulnerabilities have reduced to 1, a vague "Entrance scan". Impossible to see the contents, the only possible action is another scan. which returns 0 vulnerabilities, my website is safe.
Just before closing the page, I notice my email address at the top right, I see "My Account" there... and it's a good thing I've checked, because I've been signed up to 2 newsletters.
Sorry about the experience you had! We only ask for your email address in the event that you leave the scan running and go away, so that we can email you a link to your report once the scan is finished.
We require verification before viewing any vulnerability data because we wouldn't want to show the vulnerabilities to someone who shouldn't have access. We'll take a look into the Meta tag issues you were having - normally that works great, but it's possible we messed something up.
The 3 vulnerabilities being reduced to 1 is /incredibly/ unusual, and we've never seen that before. Could you email me at borski@tinfoilsecurity.com with the URL or email associated with your account? I definitely want to look into this and fix it if there's an issue.
As for the two newsletters, you're more than welcome to unsubscribe. We think the information contained in those emails is actually very useful to anybody programming web applications, but we certainly understand that it is more useful for some than others. :)
TL;DR: Would love to fix the issues you ran into - please email me and we'll make it right. :)
