We scanned 122 more vibe-coded apps. 100% had a security hole.
Fresh data from ScanMyVibe's automated audit of 122 newly-launched apps: 27.9% shipped a critical vulnerability, average security score 72.8/100. What AI-built apps get wrong, and a 5-minute pre-launch checklist.
What we measured
ScanMyVibe runs an automated audit every day against newly-launched apps on Show HN — the indie, early-stage, and increasingly AI-built software the whole internet sees first. This report covers the 122 apps scanned in the last two weeks, with all-time context from 634 apps scanned to date.
No login attempts, no active exploitation — just the security posture any visitor's browser can see: headers, TLS, cookies, exposed files, and obvious information disclosure.
The numbers (the last two weeks)
All-time across 634 apps: 100% had an issue, 37.5% a critical, average score 69.2/100.
What this means
When you ship an app from a prompt in an afternoon, security is the step that silently gets skipped. AI coding tools optimize for "it works," not "it's safe" — and the numbers show it. These aren't theoretical findings; they were live, on the public internet, on launch day.
The 6 things AI-built apps get wrong most
1. Exposed API keys & secrets — live keys shipped to the browser. The #1 mistake.
2. Open databases — Supabase RLS disabled, Firebase rules wide open.
3. Broken auth — endpoints anyone can call without logging in.
4. Missing security headers — no CSP, HSTS, or frame protection.
5. Injection & XSS — unsanitized inputs that hijack sessions.
6. Exposed files — reachable .env, .git, and source maps.
The 5-minute pre-launch checklist
Scan your own app
Run your Lovable, Bolt, Cursor, v0, or Replit app through ScanMyVibe in 30 seconds — free, no signup — and get a copy-paste AI fix prompt for every issue found.