The state of vibe-coded security
Vibe coding works. The same Y Combinator batch that taught a generation to "build fast and ship faster" is now graduating startups whose codebases are 95% AI-generated. The question this page tries to answer is what that code looks like when you stop celebrating and start auditing. The short version: not great. The longer version, with citations, is below.
Findings
About 40 of the 160 startups in YC's Winter 2025 batch reported codebases that are almost entirely AI-generated. Vibe coding stopped being a niche workflow and became the default for early-stage product teams sometime in the last 18 months.
Source: Y Combinator W25 partner statement (via Snyk)Veracode's 2024 analysis found that 45% of AI-generated code samples introduced at least one OWASP Top 10 vulnerability. A 2023 empirical study of GitHub Copilot output found 35.8% of generated snippets contained recognized weaknesses (CWEs), with 11 of those weaknesses on the 2022 CWE Top-25 list. A Stanford user study (Perry et al., 2022) found participants with AI assistants wrote less secure code than the control group on four of five security tasks.
Source: Veracode 2024, Fu et al. arXiv:2310.02059, Stanford arXiv:2211.03622GitGuardian's 2025 report found repositories using AI coding tools leak secrets at a 40% higher rate than the baseline. The same report counted 23.8 million leaked secrets across public repos in 2024, with 96% of leaked GitHub tokens carrying write access and 70% of secrets leaked in 2022 still active today.
Source: GitGuardian State of Secrets Sprawl 2025Snyk's AI code security survey found roughly 80% of developers think AI-generated code is more secure than human-written code. In the same survey, 56% admitted that AI-generated code in their own projects had sometimes or frequently introduced security issues. Both statements are true at once, which is the actual problem. The Stanford study identified the same effect: developers using AI assistants were more confident their code was secure, even when it wasn't.
Source: Snyk AI Code Security ReportOnly 10% of developers reported scanning most AI-generated code before shipping it. 80% admitted to bypassing a security policy at least once. 96% use AI coding assistants regularly. The math is straightforward: a lot of new code is shipping unreviewed, and the people shipping it believe it's fine.
Source: Snyk Secure Adoption in the GenAI EraIn a public 2025 analysis, security researcher Matt Palmer reported finding 170 vulnerable production sites in one examination session of Lovable-built apps. A separate analysis demonstrated full compromise of multiple Lovable production sites in 47 minutes via misconfigured Supabase Row-Level Security policies. These are not theoretical vulnerabilities. They are public, working exploits against live consumer apps.
Source: Snyk: The Highs and Lows of Vibe CodingWhat this means for vibe coders
Two things are true at once. AI editors will keep growing because they save real time, the tooling is improving fast, and the developer audience is gravitating to them. And the security of AI-generated code is meaningfully worse than human-written code on every published measure. The gap between these two trajectories is where the next generation of breaches and data leaks is going to come from. For founders shipping with Cursor, Lovable, Bolt, or v0, the cheap intervention is a security scan as part of the deploy loop, not as a one-time "before launch" event. The cost of one exposed Stripe key, or one wide-open API endpoint, is significantly higher than the cost of catching it the same day.
Methodology
This page synthesizes externally published research. Heimdall Scan does not yet publish primary research of its own. All numbers above come from the cited sources (academic papers, vendor reports, and security researcher write-ups) and are linked inline. Where two sources gave different numbers for the same question (e.g., the academic Copilot study found 35.8% vulnerability rate while Veracode found 45%) we report both so you can judge.
Heimdall Scan checks for the exact issues this research describes (exposed secrets, missing auth, broken access control, weak webhook verification, and more) on any GitHub repo in under a minute. It's free during open beta.
