Your AI doesn't think about security.
VibeCure rules fix that.

Security rules for your AI coding assistant. Every rule benchmark-proven on hundreds of real vibe-coded apps.

2 free categories — bot detection & cost limit abuse — delivered to your inbox. 6 more with your subscription.

New categories drop to subscribers first. Plus weekly eval findings.

Your prompt

“Build InviteHub — a team collaboration tool where project owners can invite members by email.”

JWT auth Create projects POST /projects/:id/invite SendGrid email

AI generates

Default output Sonnet 4.5

// POST /projects/:id/invite router.post('/:id/invite', auth, async (req, res) => { const { email } = req.body; const token = crypto.randomBytes(32).toString('hex'); db.run(`INSERT INTO invites ...`, [...]); await sgMail.send({ to: email, from: 'noreply@invitehub.com', subject: 'You\'re invited!', html: `Click to join: ${link}` }); // ← no rate limit. no bot check. res.json({ message: 'Invitation sent' }); });

With VibeCure rules Sonnet 4.5

What happens when you ship the left side

Account suspended — all email stops

Spam volume triggers an automated review. SendGrid freezes your account — no password resets, no invoices, no onboarding emails until you prove the root cause is fixed.

$7,300 on your card — by morning

Bots hit the unprotected endpoint at 10K req/sec. By morning you have a SendGrid bill and 600K spam emails sent from your domain.

Domain blacklisted — emails hit spam for months

Abuse volume burns your sending reputation. Even after you fix the code, password resets and invoices land in spam for 30–90 days.

Both sides generated from the same prompt on the same model. No cherry-picking — this is what ships. Full prompt, rules, and eval data on GitHub.

The Evidence

We don't guess. We test.

Every VibeCure rule is validated against frontier AI models across real application scenarios. Here's what happens when rules are applied:

45% of AI-generated code contains security vulnerabilities (Veracode, 2025). Researchers found 2,000+ vulnerabilities in 5,600 vibe-coded apps (Escape.tech, 2025). These are the gaps VibeCure rules help close:

Category	No rules	OWASP / generic	VibeCure
Bot abuse protection 8 API services tested SendGrid Twilio OpenAI AWS S3 Google Maps Google TTS DeepL Stability AI	0%	0%	100%
Abuse cost limits 8 API services tested SendGrid Twilio OpenAI AWS S3 Google Maps Google TTS DeepL Stability AI	0%	0%	100%
SMS abuse prevention 5 checks tested Rate limiting Per-phone cooldown CAPTCHA / bot detection Geo-restriction Verify API	0%	0%	100%
Sensitive data encryption SSN & financial field encryption SSN encryption (AES-256) Financial data protection	0%	0%	100%
Secret key management 15 services tested Stripe OpenAI SendGrid Twilio AWS Plaid Sentry Slack MongoDB GitHub +5 more	0%	62%	97%

Tested across 7 frontier models · 14+ vulnerability categories

How It Works

Three steps. No learning curve.

VibeCure tells your AI assistant which security patterns to use — ones it knows but won't apply unless asked. No scanning tools. No CI/CD pipelines. Just a curated file, kept updated as models change.

Run one command

VibeCure detects your AI assistant and writes the rules file. 10 seconds, done.

$ npx vibecure --key sk_live_•••••

✓ Detected: .cursorrules
✓ Wrote 8 categories (42 rules)
✓ Rules active

Your AI reads it automatically

Cursor, Claude Code, Copilot, and 5 others read rules files before generating code.

# .cursorrules

Before each paid API call, check
user's quota in usage_tracking
(user_id, resource_type, count,
period_start). Return 429 when
exceeded. Reset each billing cycle.
  ... 42 rules across 8 categories

Safer code, every time

Per-user quotas, auth checks, key externalization — your AI applies them without being asked.

// ✔ VibeCure rule — per-user quota
const usage = await db('usage_tracking')
  .where({ user_id, resource_type: 'sms' });
if (usage.count >= DAILY_LIMIT)
  return res.status(429).json({
    error: 'quota exceeded' });

No scanning tool. No CI/CD pipeline. No learning curve. One command, instant security rules.

What's Covered

8 launch categories. 14+ total. One rules file.

Each category targets a specific class of vulnerability that AI coding assistants consistently get wrong.

Launch ⚡

Rate Limiting, CAPTCHA & SMS Pumping

Prevent economic denial-of-service on paid API endpoints. Rate limits, bot protection, and OTP cooldowns.

Launch 📊

Per-User Quotas

Enforce usage caps per user on cloud services to prevent bill shock from a single abusive account.

Launch 🔑

API Key & Secrets Management

Externalize credentials to environment variables. Covers 15 services including Stripe, AWS, and OpenAI.

Launch 🛡

IDOR / Broken Access Control

Ownership checks on every CRUD operation. Users can only access their own data.

Launch 🔒

Row Level Security (Supabase)

Enforce RLS policies on every table. Prevent the CVE-2025-48757 class of data leaks.

Launch 👤

PII Protection

Hash passwords with bcrypt. Encrypt SSNs and sensitive PII at rest. Never store plaintext.

Launch 🔄

Password Reset Security

Crypto-random tokens, expiry windows, single-use enforcement, and rate limiting on reset flows.

Launch 🔍

Data Exposure

Filter API responses to return only the fields the client needs. No full database rows.

Coming Soon

Sensitive Data Logging OTP Code Leakage CORS Misconfiguration Typosquatting Protection Firebase Auth Security LLM Token Burn

Works with

Cursor Claude Code GitHub Copilot Windsurf Cline Aider Continue Codex

Pricing

Evidence-based security for every budget.

Every tier includes rules validated against frontier AI models.

Free

Start with the two highest-impact categories and see the difference immediately.

2 categories (EDoS + quotas)
Formatted for all 8 assistants
Evidence reports included
One-command install, instant setup

Get Free Rules

Your AI doesn't think about security.VibeCure rules fix that.