Quittr was thriving. The habit-tracking app had hit $1 million in revenue, earned an Oprah mention, and had over 39,000 active users. The founder had done what every vibe coding success story promises — built fast, shipped faster, and found real customers.
Then a security researcher sent an email.
The entire Firebase database — every user's name, email, personal habit data — had been publicly readable since day one. Anyone who knew where to look could read and overwrite it. For weeks. While the business was growing.
This wasn't a sophisticated attack. There was no hacker. Just a default setting the AI had chosen because it was easier, and a founder who had no reason to question it.
91.5% of vibe-coded apps have at least one security vulnerability. Wiz scanned 5,600 apps and found 400 with exposed secrets. 70% of apps built with Lovable ship with Row Level Security disabled. 1 in 5 enterprise breaches is now caused by AI-generated code.
Quittr is not an outlier. It is the rule. And the reason isn't incompetent founders — it's a fundamental truth about how AI coding tools work.
"Telling an AI agent to be safe is not the same as enforcing that it is safe. Prompts can be overridden, misunderstood, or ignored."
— Thoughtworks, The VibeSec Reckoning (May 2026)When you tell Claude or Cursor to "be secure," it tries — but it also tries to solve your problem quickly. And the quickest path is rarely the safest one. Public bucket? Works immediately. Row Level Security? Adds friction. Hardcoded API key? Ships faster than environment variables.
The AI is not malicious. It's optimising for the wrong thing.
Understanding why this happens — and how serious software companies prevent it — is the first step to protecting your app. So let's go through it, stage by stage.
The Foundation: Principles Every App Must Follow
Before we get to the eight stages of professional security, there are five principles that underpin all of them. These aren't advanced techniques — they're the baseline. Every app with real users should operate on these rules from day one.
1. Least Privilege
Every user, service, and process gets only the minimum access it needs — nothing more. A background job that reads your database shouldn't also have permission to delete it. A service account that uploads images shouldn't have access to your users table. This is exactly what Thoughtworks caught: their AI assigned an overpowered service account because it was the path of least resistance.
2. Defense in Depth
No single security control is trusted to hold on its own. You layer them. Auth check → database RLS → network firewall → audit logs. If one layer fails, the next catches it. Relying on a single gate is how one misconfiguration becomes a catastrophic breach.
3. Zero Trust
Never assume anything inside your system is automatically safe. Verify every request, every time, regardless of where it originates. "Inside the firewall" is not a security posture. Every API call should ask: who is this, do they have permission, and should I trust this request right now?
4. Secure by Default
The safest configuration should be the default. Shipping something insecure should require deliberate effort. Bolt shipping with RLS disabled is the exact opposite of this principle. Every new table, route, and storage bucket should start locked — not open.
5. Fail Securely
When something breaks, it should break in a way that denies access — not grants it. A crashed auth service should lock users out, not wave them through. An unexpected error should never reveal your database schema, stack trace, or internal paths to the user.
The Eight Stages of Security
Mature software companies don't treat security as a checklist. They treat it as a lifecycle — eight distinct stages, each catching what the previous one missed. Here's how the full picture looks, and where vibe-coded apps typically fall short.
Stage 0. No threat modeling, no security gates, no secrets management, no incident response plan. The AI built it, it works, and the founder has no idea what it might be exposing. This is not a character flaw — it's a tooling gap. Nobody built the security layer for vibe coders. Until now.
Where VibeSafe Comes In
Stages 1 and 4–8 require engineering teams, compliance budgets, and formal processes. They matter — but they're not where a solo founder with 200 paying customers needs to start.
Stages 2 and 3 are where you get 80% of the protection for 5% of the effort. Catch the issues while you're building. Catch them before you ship. That's exactly what VibeSafe does.
Submit your GitHub repo or connect your Supabase/Firebase project. We run six automated checks — secret scanning, static analysis, RLS configuration, Firebase rule review, .env credential detection, and API route auth gaps — then deliver a plain-English report in 24 hours.
Every finding comes with: severity rating, plain-English explanation of what it means for your users, and the exact code to fix it. No jargon. No DevOps knowledge required.
But finding what's already broken is only half the battle. The deeper problem is that every new project you start with an AI coding tool begins with the same insecure defaults. The AI hasn't learned from your last app. It will suggest the same open storage bucket, the same disabled RLS, the same hardcoded API key — unless you give it rules it can't ignore.
Tell us your stack — Lovable + Supabase, Bolt + Firebase, Cursor + Railway, v0 + Vercel, and more — and we generate a security context file (CLAUDE.md / .cursorrules format) built for your exact setup.
Paste it into your project. From the first prompt of your next build, your AI assistant has your security rules baked in. It cannot suggest disabling RLS. It cannot recommend hardcoding an API key. It cannot make storage public. The secure path becomes the easy path.
The Road to Stages 4–8
Here's the honest truth: if your app has fewer than 500 users and no sensitive data, Stages 2 and 3 are where you should focus every dollar and hour you have on security. Fix what's broken. Prevent new issues. Ship.
But as you grow — as you start storing payment information, health data, or personal records — the higher stages become unavoidable. Here's what that roadmap looks like:
VibeSafe starts you on this path. Audit and Shield get you through Stages 2 and 3. The next version of VibeSafe will help you navigate Stages 4 and beyond — runtime monitoring, automated CVE alerts for your specific dependencies, and a guided compliance checklist when you're ready to go enterprise.
Today: Audit (Stage 3) + Shield (Stage 2) — $99 bundle.
Next: Ongoing CVE monitoring, runtime anomaly alerts, dependency auto-patching.
Future: Guided SOC 2 prep, incident response playbooks, compliance checklists.
The One Thing to Do Today
If you've shipped a vibe-coded app in the last 12 months, there's a better-than-even chance it has at least one critical security issue. Not because you're careless. Because the AI took the path of least resistance and nobody told it not to.
The fix is not complicated. It doesn't require a security engineer or a compliance consultant. It requires knowing what's broken — and having the rules in place so it doesn't happen again.
That's what VibeSafe is. A plain-English security audit for apps that are already live. And a shield that makes every project you build after this one start from a secure baseline.
Audit + Shield — the full fix, once.
Scan your existing app. Shield every project after it.
One-time payment · No subscription · Report in 24 hours · 7-day refund guarantee
Quittr found out from a security researcher. That was lucky. The next founder might not be.