WE SCANNED 600 NEW APPS.
100% HAD SECURITY HOLES.
Between April and July 2026, ScanMyVibe automatically security-scanned 600 apps the day they launched on Show HN — the indie and AI-built software the whole internet sees first. Not one of them was clean. Here is what we found.
THE FINDINGS
Across 600 freshly-launched apps we surfaced 6,191 security issues — an average of 10.3 per app. The average security score was 68.9/100, and half of all apps (49.8%) scored below 70.
More alarming than the volume is the severity: 38.3% of apps shipped with at least one critical vulnerability and 63.8% carried a high-severity issue — the classes that leak databases, expose secrets, or let anyone bypass your login. These aren't theoretical. They were live, on the public internet, on launch day.
It matches what the wider research has been screaming about AI-assisted development:
When you ship an app from a prompt in an afternoon, security is the step that silently gets skipped. The tools optimize for "it works" — not "it's safe."
WHAT SCANMYVIBE CHECKS
Exposed secrets & API keys
Live keys, tokens and .env values shipped to the browser or committed to public builds.
Open databases
Supabase RLS disabled, Firebase rules wide open — anyone can read or write your data.
Broken auth & authorization
Auth silently weakened during AI iteration; endpoints anyone can call without a login.
Missing security headers
No CSP, HSTS or frame protection — the default state of most AI-scaffolded apps.
Injection & XSS
Unsanitized inputs and DOM sinks that hijack sessions or leak the database.
Unintended exposure
Reachable .git, source maps and admin/staging subdomains that map your whole stack.
ScanMyVibe runs an automated daily job that scans new Show HN launches with its 150+ security checks across 16 modules. Figures above are computed from 600unique apps scanned between 19 Apr and 7 Jul 2026 (5 malformed records excluded). "Issue" = any finding of info severity or higher; "critical"/"high" follow CVSS bands. Show HN apps skew toward indie, early-stage and AI-assisted builds — the same profile as vibe-coded software.
IS YOURS IN THE 100%?
Scan your Lovable, Bolt, Cursor, v0 or Replit app in 30 seconds. Free, no signup — and get the AI fix prompt for every issue we find.
SCAN MY APP FREE