1,764
Apps scanned
453
Critical findings
3325
High findings
53,145
Total findings
85
Apps with CRITs
2,039
Scan runs
Per-platform CRIT rate
| Platform | Scanned | With CRIT | Rate |
|---|---|---|---|
| YC companies (W21–F25) | 200 | 0 | 0% |
| Lovable | 476 | 34 | 7.1% |
| Bolt.host | 289 | 21 | 7.3% |
| Replit | 194 | 4 | 2.1% |
| Vercel (v0/AI) | 67 | 2 | 3.0% |
| Streamlit | 90 | 0 | 0% |
| Other | 53 | 3 | 5.7% |
Finding breakdown
Top CRIT categories across all scans:
- Supabase RLS off — 96% of all CRITs. Tables with real user data readable by anyone with the public anon key.
- API keys in JS bundles — OpenAI, Anthropic, Google, Stripe keys shipped client-side. 15% of Bolt.host apps affected.
- IDOR / broken access control — sequential IDs on API endpoints returning other users' data.
- Unauthed APIs — entire OpenAPI specs with zero security schemes defined.
- Private key material in production — PEM-format keys bundled by Webpack/Vite.
Methodology
Targets sourced from certificate transparency logs, Google search, and platform directories. All scans are read-only (GET + minimal POST probes). 50+ scanner modules per target. Every CRIT finding verified reproducible before disclosure. Private disclosures sent to all identifiable owners before publication.
Scanner: securityscanner.dev — open to anyone. One free scan, no card.
Detailed write-ups
- Lovable vs Bolt vs Replit: per-platform RLS breakdown →
- Beyond Supabase RLS: 5 other critical vulnerabilities →
- Top 5 Supabase RLS mistakes on Lovable apps →
- Top 5 security issues on Replit apps →
This report is updated as we scan more apps. Data as of April 2026. Questions or corrections: [email protected].