Blog

Research & findings

Analysis from scanning thousands of recently shipped products.

Case StudyJune 5, 2026

Your Deployed App Is Serving Its Own Source Code

73 out of 12,000 recently launched apps had their .git directory accessible over HTTP. An exposed .git directory lets an attacker reconstruct the entire repository, including every secret ever committed.

Read →

Case StudyMay 21, 2026

A Founder Lost $2,500 Because His AI-Coded App Shipped a Stripe Secret Key in the Frontend

An AI coding tool put a live Stripe secret key directly in frontend JavaScript. Bots found it, charged 175 customers $500 each, and the founder ate $2,500 in processing fees.

Read →

ResearchApril 15, 2026

We Scanned 12,000 Vibe-Coded Apps. Not One Came Back Clean.

Across 12,000 recently launched products, every single app had at least one security finding. Here is what we found, and why the pattern is predictable.

Read →