Blog
Research & findings
Analysis from scanning thousands of recently shipped products.
New
Scanner comparisons
Side-by-side comparisons of every security scanner targeting vibe-coded apps.
See all comparisons →The .env File Your Web Server Is Serving to the Internet
In a scan of 12,000+ recently launched apps, 17 had their .env file accessible over HTTP. One file, every production secret, no authentication required.
Read →
What Happens in the First 5 Minutes After You Leak an API Key
Automated bots detect leaked API keys within seconds of a commit being pushed. Here is the minute-by-minute timeline of what happens next, and why deleting the key in the next commit does not help.
Read →
Your Supabase Database Is Probably Public Right Now
CVE-2025-48757 exposed 170+ Lovable-generated apps with missing Row Level Security. One breach leaked 18,000 student and educator records. If you used an AI tool to create your Supabase tables, your data is likely wide open.
Read →
Your Deployed App Is Serving Its Own Source Code
73 out of 12,000 recently launched apps had their .git directory accessible over HTTP. An exposed .git directory lets an attacker reconstruct the entire repository, including every secret ever committed.
Read →
A Founder Lost $2,500 Because His AI-Coded App Shipped a Stripe Secret Key in the Frontend
An AI coding tool put a live Stripe secret key directly in frontend JavaScript. Bots found it, charged 175 customers $500 each, and the founder ate $2,500 in processing fees.
Read →
We Scanned 12,000 Vibe-Coded Apps. Not One Came Back Clean.
Across 12,000 recently launched products, every single app had at least one security finding. Here is what we found, and why the pattern is predictable.
Read →