Field notes · ongoing

vibeAudit blog.

Security field notes for AI-built apps. Practical guides for Lovable, bolt.new, Cursor, v0, and Claude Code developers — written from the scanner's point of view.

DISCLOSURE · featured April 15, 2026 · 6 min read

40 AI-Built Apps, 30 Critical Findings, Zero Names

In a single day we scanned 40 AI-built production apps. 30 had CRITICAL findings. We're publishing the patterns, not the names. Here's why.

Read the post →

AI SECURITY · April 7, 2026 · 5 min read

Anthropic Mythos Finds Zero-Days — How to Protect Your App Free

Anthropic's Mythos model finds zero-days at scale — but only for 40 companies. Here's how every developer can check their app's security right now, for free.

LOVABLE · March 28, 2026 · 6 min read

Top 5 Security Vulnerabilities in Lovable-Built Apps

Lovable ships fast, but it skips security defaults. Here are the 5 most common vulnerabilities we find in Lovable apps -- and how to fix each one.

CURSOR · March 25, 2026 · 5 min read

Your Cursor App is Probably Leaking API Keys

AI coding assistants like Cursor often put secrets directly in client-side code. Here's how to find and fix leaked API keys before attackers do.

SUPABASE · March 22, 2026 · 7 min read

Supabase RLS: The One Setting That Exposes All Your User Data

Row Level Security is the single most important setting in Supabase. If it's off, anyone can read your entire database. Here's how to fix it properly.

BOLT · April 8, 2026 · 6 min read

Bolt.new Security Checklist: 10 Things to Check Before You Deploy

Bolt.new ships fast. Too fast to add security defaults. Here are 10 things to check before your app goes live.

FIREBASE · April 9, 2026 · 5 min read

Firebase Rules: Why Setting Read/Write to True Is a Disaster

The default Firebase rules for quick prototyping give everyone full access to your database. Here's how to lock it down.

SECURITY · April 10, 2026 · 4 min read

Is Your .env File Public? How to Check in 10 Seconds

If your .env file was ever committed to Git, your secrets are in your repo history. Here's how to check and fix it.

CYBERSECURITY · April 12, 2026 · 6 min read

AI Security Scanning in 2026: What Indie Devs Actually Need

The cybersecurity industry is changing fast. Mythos, AI pentesting, automated scanning — here's what actually matters if you're shipping code with AI tools.

VIBE CODING · April 13, 2026 · 5 min read

You Vibe-Coded Your App. Did You Vibe-Test Its Security?

AI built your app in an hour. But nobody tested if it's secure. Here's a 5-minute security test you can run right now.

CLAUDE CODE · April 14, 2026 · 6 min read

Claude Code Security Mistakes: What AI Gets Wrong

We built vibeAudit with Claude Code. Here are the security mistakes it made in our own app — and probably yours too.

TRANSPARENCY · April 15, 2026 · 5 min read

We Scanned Our Own AI-Built App. Here's What We Found.

vibeAudit is built with AI tools. We ran our own scanner on ourselves. Full transparency on what it found — and what we fixed.

LOVABLE · April 16, 2026 · 5 min read

Lovable 2.0 Security Scan vs vibeAudit: What's Different

Lovable added a security scan in 2.0. It checks if RLS exists. vibeAudit checks if it actually works. Here's the difference.

Stop reading. Scan yours.

Run a scan → See the research

~30 seconds · no signup · read-only