BLOG
2026-07-13
5 min read

We scanned 122 more vibe-coded apps. 100% had a security hole.

Fresh data from ScanMyVibe's automated audit of 122 newly-launched apps: 27.9% shipped a critical vulnerability, average security score 72.8/100. What AI-built apps get wrong, and a 5-minute pre-launch checklist.

vibe-codingai-securityshow-hnlovableboltlaunch-security

What we measured

ScanMyVibe runs an automated audit every day against newly-launched apps on Show HN — the indie, early-stage, and increasingly AI-built software the whole internet sees first. This report covers the 122 apps scanned in the last two weeks, with all-time context from 634 apps scanned to date.

No login attempts, no active exploitation — just the security posture any visitor's browser can see: headers, TLS, cookies, exposed files, and obvious information disclosure.

The numbers (the last two weeks)

->100% of apps shipped with at least one security issue.
->27.9% shipped with at least one *critical* vulnerability.
->68.9% carried a high-severity issue.
->Average security score: 72.8/100 (44.3% scored below 70).
->Average of 9.6 issues per app1172 issues in total, including 35 criticals.

All-time across 634 apps: 100% had an issue, 37.5% a critical, average score 69.2/100.

What this means

When you ship an app from a prompt in an afternoon, security is the step that silently gets skipped. AI coding tools optimize for "it works," not "it's safe" — and the numbers show it. These aren't theoretical findings; they were live, on the public internet, on launch day.

The 6 things AI-built apps get wrong most

1. Exposed API keys & secrets — live keys shipped to the browser. The #1 mistake.

2. Open databases — Supabase RLS disabled, Firebase rules wide open.

3. Broken auth — endpoints anyone can call without logging in.

4. Missing security headers — no CSP, HSTS, or frame protection.

5. Injection & XSS — unsanitized inputs that hijack sessions.

6. Exposed files — reachable .env, .git, and source maps.

The 5-minute pre-launch checklist

[ ]No API keys or secrets in your client-side bundle
[ ]Database row-level security is ON (Supabase RLS / Firebase rules)
[ ]Every API route checks authentication and authorization
[ ]Security headers set: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
[ ]No reachable .env, .git, or debug endpoints

Scan your own app

Run your Lovable, Bolt, Cursor, v0, or Replit app through ScanMyVibe in 30 seconds — free, no signup — and get a copy-paste AI fix prompt for every issue found.