For founders who built with Lovable · Bolt · Cursor · Replit · v0

Your AI-coded app probably has leaked secrets, missing auth, and SQL injection. Find out before a user does.

Name: VibeScan Security Audit
Brand: VibeScan
Price: 49.00 USD
Availability: InStock

VibeScan reviews your GitHub repo in 10 minutes and emails you a plain-English PDF of what's dangerous, what's broken, and exactly how to fix each one. No engineer jargon. No 300-page report. Just the findings you'd pay a consultant $2,000 to write.

$49 · one-time · no account · PDF by email in ~10 min

You'll send us your GitHub repo URL by replying to the receipt email. Private repo? Reply with a read-only deploy key. Payment processed by Gumroad — secure checkout, card or PayPal.

65 apps audited since launch

799 real security issues found

88 critical — exploitable by anyone today

What we find in almost every repo.

43% — missing auth on API routes. Your Supabase Edge Function / Next.js API / Firebase Function is callable without a token.
43% — no rate limiting on signup, contact, or search endpoints. Anyone can fill your DB with junk in 60 seconds.
33% — CORS wildcard (`*`). Any origin can hit your API and read the response.
32% — admin access gated by a client-side flag. Editable in devtools in 10 seconds.
14% — file uploads with no MIME-type or size check. 5GB .exe, uploaded.

Pattern frequencies across our research corpus — 27 public vibe-coded apps audited this week.

Try it free on your repo first.

Email mike.j.kaplan+scan@gmail.com with your GitHub repo URL. You'll get the top finding from a preview scan back within ~5 minutes — free, no signup, no catch.

The preview covers ~25% of your code (the highest-risk files). If it finds something real, you'll want the full audit. If it doesn't, you've saved $49.

Or see a representative report first.

Download sample report (PDF) — 8-finding sample audit with fixes, on a fictional repo

Read how VibeScan finds these.

A real finding list looks like this.

critical
Your Supabase service_role key is committed to the repo. Fix: rotate the key in Supabase dashboard → move to environment variables → `git filter-branch` or start with a fresh key.
critical
`/api/contact` accepts unlimited submissions with no rate limit. One script can submit 10,000 forms per minute. Fix: add Upstash Redis rate limit (5/min per IP) on the route handler, takes 15 minutes.
high
File uploads in `/api/upload` don't check file type or size. Someone can upload a 5GB .exe. Fix: whitelist MIME types and cap size at 10MB — 3 lines using `multer` or `formidable`.
high
Your signup flow doesn't validate email format server-side. Users can create accounts with `' OR 1=1 --` as email. Fix: add a `zod` schema on the server-side handler, reject non-matching input with 400.
medium
No structured error logging. When something breaks in production, you'll debug blind. Fix: add Sentry free tier — 30 min — catch every server error with a user ID and a stack trace.

How it works.

Step 1

Paste your repo URL

Public repo — we clone read-only. Private repo — email us a deploy key.

Step 2

Pay $49 via Gumroad

Card or PayPal. You're billed once, no subscription.

Step 3

Get your PDF in ~10 min

Critical / High / Medium findings, each with a plain-English explanation and the exact code change to fix it.

FAQ

Is this a real audit or just linter output?

Real audit. We use a tuned LLM to read your code the way a human security reviewer would — looking for leaked secrets, missing auth, unsafe SQL, bad file handling, race conditions, and business-logic flaws. ESLint catches none of these. We also explain every finding in the language you actually use (not "CVE-2023-XYZ jargon").

What if I'm not technical?

Perfect — VibeScan was built for you. Every finding has a one-sentence plain-English explanation ("attackers can log in as any user") and a copy-paste fix ("add this line to your signup route"). Hand the PDF to a contractor and they'll know exactly what to do.

What frameworks / stacks do you support?

Next.js, React, Vue, Svelte, Astro, Remix on the frontend. Node.js, Python (Flask/FastAPI), Ruby on Rails on the backend. Supabase, Firebase, Neon, Postgres, MongoDB for data. If your app was generated by Lovable, Bolt, v0, Replit, Cursor, or Windsurf — we support it.

How is this different from Snyk or DeepSource?

Snyk and DeepSource are built for engineering teams who speak in CVEs and patch diffs. VibeScan is built for a solo founder who wants a straight answer: "is my app safe to launch, and if not what do I fix?" We prioritize ruthlessly, we explain in plain English, and we include the fix. It's the difference between a 300-row dashboard and a 1-page briefing.

Do you store my code?

No. We clone your repo to a disposable sandbox, run the audit, generate the PDF, then delete everything. Your code isn't kept, indexed, or used for training. If you use a deploy key, revoke it after the audit.

Can I get a refund if the report isn't useful?

Yes. If you think the findings are wrong or unhelpful, email us within 7 days and we'll refund the $49. No arguments.

Can you re-scan weekly after I fix things?

Yes — the $29/mo monitoring tier re-runs VibeScan every 7 days and emails you only the NEW findings. Coming soon — reply to your first report to be added to the waitlist at launch price.