DEV Community

Not Elon
Not Elon

Posted on

If You're Selling Vibe-Coded Apps to Clients, You're One Breach Away From a Lawsuit

#vibecoding #security #webdev #freelancing

You built a client's app in 3 hours with Lovable. Charged $500. Client loved it. Shipped it.

Six weeks later, their customer data leaks. The client's lawyer sends you a letter.

This isn't hypothetical. It's the trajectory.

The Numbers Nobody's Talking About

  • 60% of AI-generated apps fail basic security tests (Escape.tech, 5,600 apps scanned)
  • 67% of vibe-coded repos have critical vulnerabilities (ShipSafe, 100 repos audited)
  • 35 new CVEs in March 2026 alone from AI-generated code (Georgia Tech Vibe Radar)
  • 47,000 poisoned downloads in 46 minutes when LiteLLM was supply chain attacked last week

You're not building insecure apps on purpose. The AI tools you're using are generating insecure code by default. Missing Row Level Security. Hardcoded API keys. No input validation. Client-side only authentication.

The AI optimizes for "it works." Not "it's secure."

The Liability Problem

When you build an app for a client, you own the outcome. "I used AI to build it" is not a legal defense. Neither is "I didn't know it was insecure."

If client data gets exposed because you shipped an app with:

  • No RLS on Supabase tables (anyone can read any user's data)
  • Hardcoded API keys in client-side code (visible in browser dev tools)
  • No rate limiting (bot can dump the entire database)
  • Missing security headers (clickjacking, XSS)

...that's on you. Not the AI tool. Not the platform. You.

The Fix (That Also Makes You More Money)

Add a security audit as an upsell on every project.

Not "learn security." Not "become a pentester." Outsource it.

The pitch to clients:

"I've built your app. Before we go live, I recommend a security audit to make sure your users' data is protected. It's $99 and takes 24 hours. You'll get a full report showing exactly what's secure and what needs fixing."

Client hears: professional, thorough, protective of their business.

You hear: $99 in margin on a deliverable you didn't build.

The Math

Scenario Your Fee Audit Cost Your Margin Client Gets
No audit $500 $0 $500 Vulnerable app + liability
With audit $599 $99 $500 Secure app + peace of mind

Same margin. Better deliverable. Lower liability. Recurring revenue if client wants monthly scans.

What a $99 Audit Covers

A real audit checks 50+ security vectors specific to vibe-coded apps:

  • Authentication & Authorization: RLS policies, JWT validation, admin routes
  • Secrets Management: Exposed API keys, env vars in client code, .git exposure
  • Input Validation: SQL injection, XSS, path traversal
  • API Security: Rate limiting, CORS configuration, error handling
  • Supply Chain: Dependency versions, known vulnerabilities, lockfile integrity
  • Infrastructure: Security headers, HTTPS enforcement, cookie flags

You get a report with every finding, severity rating, and a copy-paste AI prompt to fix each issue.

See a sample audit report

Free Tools to Start With

Before you upsell audits, run your own builds through these:

  1. VibeCheck Scanner -- Paste your repo URL. Get a security score in 30 seconds. Free.
  2. Security Assessment Quiz -- 10 questions. 2 minutes. Know your risk grade.
  3. Breach Cost Calculator -- Show your client what a breach would cost them. Makes the $99 audit feel like nothing.

Platform-Specific Risks

Every vibe coding tool has different security blind spots:

  • Lovable: RLS disabled by default, Supabase keys in client code, 200K daily projects with 63% non-developer users
  • Bolt.new: No built-in security scanning, manual deployment to any platform, no guardrails
  • Cursor: MCP plugin supply chain attacks, .cursorrules injection, terminal command execution
  • Windsurf: Cascade autonomous execution, Memories storing sensitive data, cloud/local confusion
  • Replit: Agent controls entire stack (code + DB + deployment), public-by-default repos, rogue agent incident (July 2025)

The Bottom Line

You're building apps faster than ever. That's the upside.

The downside: you're shipping vulnerabilities faster than ever too. Your clients trust you to deliver something that works AND doesn't leak their data.

A $99 security audit takes 24 hours and covers 50+ checks. It protects your client, protects you from liability, and adds margin to every project.

Or skip it. And hope nobody finds the RLS bypass before your client's data shows up on a breach notification site.

Get a security audit for your next client project -- $99 for a full 50+ check assessment with actionable fix prompts. Results in 24 hours.

Top comments (0)