What we find when we point the scanner at apps built with Cursor, Lovable, Replit, Bolt, v0 — plus the occasional opinion on why it keeps happening.
We scanned 3,030 vibe-coded apps and found 120 with critical vulnerabilities. 92 had user data (names, emails, phone numbers) readable by anyone. Under GDPR, every one of these is a reportable data breach. Under CCPA, consumers can sue directly.
Supabase RLS is the headline, but it's not the only thing breaking. We found IDOR endpoints leaking health records, OpenAI keys burning money in public JS bundles, entire APIs with zero auth, and private key material shipped to production. Here are 5 non-RLS finding classes from our 1,000-app scan.
We scanned 1,750+ apps — 1,000+ vibe-coded across nine platforms, plus 200 YC companies as a control. Zero CRITs on YC. 53 CRITs on the vibe-coded side. Here's the per-platform breakdown.
We found a live Anthropic + OpenAI + Google key trio in the same JS bundle. Here's what it looked like, how we found it, and what happens next.
One setting. Disabled by default. Exposes every user's data. Repeated across hundreds of apps. Here's why.
Replit's quick-deploy is great. It also makes it really easy to ship your API keys to the internet.
We scanned ~50 published Lovable apps. About 1 in 5 of the Supabase-backed ones had at least one table readable by anyone. Here's the pattern.
No marketing fluff — a direct walkthrough of every module we run.
After months of scanning our own infrastructure and finding one hole too many, we're opening Security Scanner to everyone.