Free Runbook

The Vibe Coding
Security Audit

5 stages · 19 prompts · 60 min · works in any AI tool

The Vibe Coding Security Audit cover artwork
70%

of vibe-coded apps ship with at least one critical misconfiguration

80%

of those bugs are findable without writing code, just by asking

2x

cheaper than a real audit, in your hands the same day

Get the runbook

I send it the second you submit. Notion link, no PDF, no upsell.

No spam. The runbook plus 4 follow-up emails. Unsubscribe anytime.

Why this exists

In April 2026, a researcher pulled the user data of hundreds of apps shipped through Lovable. Same bug in every one. Nobody had checked.

AI coding tools are great at building things. They are bad at protecting them. The defaults skip the parts a human engineer would never skip: row-level security, input validation, secret handling, access control on every endpoint. By the time the app is live, those gaps are baked in.

A proper security review costs $5,000 to $25,000 and takes a week. Most founders cannot justify it for a side project or pre-revenue MVP. So they ship and hope.

This runbook is the alternative. 19 prompts you paste into your AI tool. The tool reads your code and answers each one. You score the answers with a traffic-light system. At the end you have a list of what to fix and what is fine. Same kind of finding a real engineer would surface, just done by you in an hour.

What you do

Stage 0
Context

Tell the AI what your app is and what stack you used. 2 prompts.

Stage 1
Surface scan

Ask the AI for the obvious mistakes: hardcoded keys, console logs in prod, debug routes. 3 prompts.

Stage 2
Access control

The most common class of bug. Row-level security, IDOR, two-user behavioral tests, storage permissions. 5 prompts.

Stage 3
Input handling

Validation, file uploads, payment webhook signatures, auth edge cases. 5 prompts.

Stage 4
Operational

Logs, error boundaries, rate limits, environment hygiene. 3 prompts.

Stage 5
Lock-in

Score it, write the fix list, prioritize by blast radius. 1 prompt.

For you if
  • You shipped an MVP with Lovable, Bolt, v0, Cursor, or Replit
  • You have real users (or are about to)
  • You handle email, payments, accounts, or any private data
  • You can copy and paste, and read English
Not for you if
  • You handle medical records, banking data, or anything regulated. Hire a real auditor.
  • Your app is a static landing page with no accounts. There is nothing to audit.
  • You need a compliance certification (SOC 2, HIPAA, PCI). Different work.
What the output looks like

Example finding from a real audit

Stage 2, prompt 3 — RLS check

The AI returned: "I checked your Supabase tables. The user_messages table has RLS enabled, but the SELECT policy is set to true, which allows any authenticated user to read every other user's messages."

RED. Fix before more users sign up. The runbook gives you the exact prompt to ask the AI for the fix.

Who I am

I am Christian. Fractional CTO and AI product engineer based in NYC. I have helped a dozen non-technical founders ship and harden apps built with Lovable, Cursor, and Bolt. The same bugs come up every time. So I wrote the prompts down.

If after running this you want a real engineer to review the result, that is what I do. The runbook is free either way.

Ready to run it?

Drop your email. The runbook is in your inbox in under a minute.

Common questions

What is a vibe coding security audit?

A structured review of an app shipped through AI coding tools like Lovable, Bolt, v0, Cursor, or Replit. The goal is to catch the security mistakes those tools make by default: missing row-level security, exposed API keys, unsafe input handling, and broken access control. This runbook walks you through 19 prompts you paste into your existing AI tool to do the review yourself.

Do I need to know how to code to do this?

No. The runbook is built for non-technical founders. You copy each prompt, paste it into the AI tool that built your app, and read the response. You score each finding with a traffic-light system: green is fine, yellow needs attention, red needs to be fixed before more users sign up. The runbook tells you what each result means.

How long does the audit take?

About 60 to 90 minutes for a small app. Larger apps with more features take longer. You can spread it across two sittings if needed. The runbook is structured in five stages so you can stop and pick back up.

Which AI tools does this work with?

Any tool that can read your codebase: Claude Code, Cursor, Windsurf, Lovable chat, Bolt, v0, Replit Agent, GitHub Copilot Chat, ChatGPT with project files. The prompts are written to be paste-and-run.

Will this find every security bug in my app?

No. A real penetration test does more, costs $5K to $25K, and takes a security engineer one to two weeks. This runbook catches the common mistakes that show up in eight out of ten vibe-coded apps. It is the first 80 percent. If your app handles payments, health data, or anything regulated, you should still hire a pro after running this.

Should I do this before launch or after?

Both work. Before launch is ideal because you have time to fix things without users on the platform. After launch still helps because most of these bugs do not get exploited the first day. The Lovable breach in April 2026 happened because hundreds of apps had been live for months with the same misconfiguration. Catching it later is better than not catching it.