Alright, somebody's gotta pump the brakes for a second, because the vibe coding gold rush has everybody confusing two very different things. Building an app and shipping an app. Claude Code and the rest of these tools have made the building part so easy. Just describe what you want, watch Claude Code do its thing, it runs, it works, ship it. And that last step, the ship it part, is where people are walking off a cliff while staring at their phone. So let me say the thing: just because you can vibe code it does not mean you should ship it. Not yet. Not like that.
I'm not anti vibe coding. This whole site is for people building with Claude Code. Go Build away. The problem isn't the building, it's the shipping without looking, and the receipts on what happens when you do that are piling up fast and it isn't pretty.
Moltbook
Quick story because it fits my narrative. Back in January 2026 a social network called Moltbook launched, an AI agent social network, very "buzzy." The founder proudly told everyone he didn't write a single line of code. The whole thing was vibe coded, prompts in, platform out. Three days later, security researchers at Wiz found the entire production database sitting wide open. 1.5 million API authentication tokens, 35,000 email addresses, private messages, all of it exposed, because the AI-generated code stuck the Supabase API key in client-side JavaScript and never turned on row-level security.
Three days. That's how long it took for "I didn't write a single line of code" to turn from a brag into a big oops. The app worked. It ran fine. Users were using it. Everything looked shipped. The security layer that should've been underneath it all just didn't exist, because nobody asked the AI to build one and nobody checked whether it had.
That's the signature vibe coding failure right there. It's not that the code is buggy in the normal sense, it's that whole layers are missing. Normal bugs are logic errors, vibe coding failures are structural, entire security layers that were never implemented because the AI was never prompted to implement them. The code looks correct. It runs. It's just missing the foundation, like a house with great paint and no plumbing.
This is becoming a pattern
If Moltbook was a freak accident I wouldn't be writing this. It's not. The numbers across the whole category are consistently bad. Depending on the study, somewhere between 40 and 62 percent of AI-generated code contains security vulnerabilities. Not edge cases, not weird inputs. Vulnerabilities.
When researchers scanned 5,600 publicly deployed vibe-coded apps, they found 2,000 critical vulnerabilities, over 400 exposed secrets like API keys and access tokens, and 175 instances of leaked personal data, including medical records and payment info. Those are live production apps, real users, real data, hanging out. One controlled study built the same apps with five different AI coding agents and every single one introduced the same server-side vulnerability, five for five, and zero of the fifteen test apps had basic security headers or CSRF protection. The tools optimize for code that runs, not code that's safe.
And it's accelerating. Georgia Tech started formally tracking CVEs, actual catalogued vulnerabilities, caused directly by AI-generated code. Six in January. Fifteen in February. Thirty-five in March. That curve only goes one direction, because the number of people shipping unreviewed AI code only goes one direction.
"It runs" versus "It's done"
When you vibe code something and it runs, you are maybe 80 percent done, and the missing 20 percent is invisible. It's the auth checks, the input validation, the rate limiting, the keys that should be in environment variables instead of hardcoded in the source, the database rules that decide who can read what. None of that shows up when you click around your own app, because you're the friendly user. It only shows up when the “bad guy” unfriendly user arrives, and on the public internet the unfriendly users are automated bots and they arrive in hours, not months. Bots scan fresh domains constantly. There is no grace period.
An experienced developer writes a lot of that invisible 20 percent on autopilot, out of scar tissue and habit. The AI doesn't have habits, it has your prompt. You asked for a working app, it gave you a working app. You didn't ask for a secure one. That's not the AI being bad at its job, that's the AI doing exactly the job you described, and that missing link between what you described and what production actually requires is where every one of these breaches lives.
So what does "should ship it" actually look like
Before anything vibe coded goes live with real users or real data, at minimum: no secrets hardcoded anywhere, keys live in environment variables and your .env is in .gitignore before your first commit. Auth actually checked, meaning you log out and try to hit the private stuff and it tells you no. Database rules on, if you're on Supabase that literally means turning on row-level security, the exact switch Moltbook never flipped. Inputs validated so the classic injection junk bounces off. And then the move if you're lazy, have a second model security-review the first model's code, because a fresh set of AI eyes prompted specifically to hunt for security holes catches a good amount of this stuff, and it costs you nothing, just typing into a CLI.
One study found basic automated scanning alone catches around 70 percent of common vibe-coding flaws. You don't need a security team. You need an afternoon and the willingness to admit that "it runs" and "it's ready" are different sentences.
Fold the security question into the stuff you ask before you ship anything. If the answer to "what happens if a stranger pokes at this" is a shrug, you're not done building, you just stopped early.
Final advice
The AI building speed is real and I love it. Idea to working product in a few hours or a weekend is genuinely one of the coolest things to ever happen, and I'm not telling you to slow down to old-world speeds and hire a security consultant for your todo app. I'm telling you the last mile is still your job. The AI got you to the door, it did not lock the door behind you.
Because here's the thing about shipping junk fast: the internet doesn't grade on effort. Your users don't care that the breach happened because you were moving fast and trusting the tools. Their emails are still in a dump somewhere. The founders who come out of this era looking smart aren't the ones who shipped fastest, they're the ones who shipped fast AND checked the locks. Be that one. Vibe code the whole thing, go nuts. Then spend the one afternoon making sure you're actually securing data and it deserves to be on the internet before you put it there. That afternoon is the whole difference between a launch and an apology.
Sources
Modall: Vibe Coding Security Risks - The Moltbook breach details, the exposed Supabase key in client-side JavaScript with no row-level security, and Georgia Tech's Vibe Security Radar tracking CVEs from AI-generated code rising from 6 in January to 35 in March 2026.
The Next Web: Lovable Security Crisis and the Structural Failure of Vibe Coding Security - The 40 to 62 percent vulnerability rate in AI-generated code across studies and the Moltbook timeline of being breached within three days of launch.
Autonoma: 7 Real Vibe-Coded Apps That Broke in Production - The framing that vibe coding failures are structural rather than ordinary bugs, with entire security layers missing because the AI was never prompted to build them.
BeyondScale: Vibe Coding Security Risks Enterprise Guide - The Escape.tech scan of 5,600 deployed vibe-coded apps finding 2,000 critical vulnerabilities, 400 exposed secrets, and 175 instances of exposed personal data, plus the Tenzai study where all five AI coding agents introduced the same vulnerability and zero apps shipped security headers.
GuardMint: The Hidden Dangers of AI-Generated Code - The finding that basic automated scanning catches roughly 70 percent of common vibe-coding flaws and that most builders never run a security scanner on their deployed apps.
