Your AI doesn't think about security.
VibeCure teaches it how.

Security rules for your AI coding assistant. Derived from vulnerabilities found in hundreds of real vibe-coded apps.

Free rules: bot detection & cost-limit abuse — delivered to your inbox. 6 more with your subscription.

New categories drop to subscribers first. Plus weekly eval findings.

45% of AI-generated code has vulnerabilities — Veracode, 2025
2,000+ vulns found in 5,600 vibe-coded apps — Escape.tech, 2025
Y
Prompt
“Build InviteHub — a team collaboration tool where project owners can invite members by email.”
JWT auth Create projects POST /projects/:id/invite SendGrid email
AI generates
Same prompt, same model — only difference is VibeCure rules
Default output Sonnet 4.5
// POST /projects/:id/invite router.post('/:id/invite', auth, async (req, res) => { const { email } = req.body; const token = crypto.randomBytes(32).toString('hex'); db.run(`INSERT INTO invites ...`, [...]); await sgMail.send({ to: email, from: 'noreply@invitehub.com', subject: 'You\'re invited!', html: `Click to join: ${link}` }); // ← no rate limit. no bot check. res.json({ message: 'Invitation sent' }); });
With VibeCure rules Sonnet 4.5
const rateLimit = require('express-rate-limit'); const inviteLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5 // 5 invites per window }); // POST /projects/:id/invite router.post('/:id/invite', auth, inviteLimiter, // ← rate limited verifyCaptcha, // ← bot protection async (req, res) => { const { email } = req.body; await sgMail.send({ ... }); res.json({ message: 'Invitation sent' }); });
What happens when you ship the left side
Account suspended — all email stops
Spam volume triggers an automated review. SendGrid freezes your account — no password resets, no invoices, no onboarding emails until you prove the root cause is fixed.
$7,300 on your card — by morning
Bots hit the unprotected endpoint at 10K req/sec. By morning you have a SendGrid bill and 600K spam emails sent from your domain.
Domain blacklisted — emails hit spam for months
Abuse volume burns your sending reputation. Even after you fix the code, password resets and invoices land in spam for 30–90 days.

Both sides generated from the same prompt on the same model. No cherry-picking — this is what ships. Full prompt, rules, and eval data on GitHub.

The Evidence

We don't guess. We test.

Every VibeCure rule is derived from vulnerabilities found in real vibe-coded apps. Here's what happens when rules are applied:

Category No rules OWASP / generic VibeCure
Bot abuse protection 8 API services tested
SendGrid Twilio OpenAI AWS S3 Google Maps Google TTS DeepL Stability AI
0% 0% 100%
Abuse cost limits 8 API services tested
SendGrid Twilio OpenAI AWS S3 Google Maps Google TTS DeepL Stability AI
0% 0% 100%
SMS abuse prevention 5 checks tested
Rate limiting Per-phone cooldown CAPTCHA / bot detection Geo-restriction Verify API
0% 0% 100%
Sensitive data encryption SSN & financial field encryption
SSN encryption (AES-256) Financial data protection
0% 0% 100%
Secret key management 15 services tested
Stripe OpenAI SendGrid Twilio AWS Plaid Sentry Slack MongoDB GitHub +5 more
0% 62% 97%

Tested across 7 frontier models · 14+ vulnerability categories

14+
Vulnerability Categories
7
Frontier Models Tested
500+
Apps Tested

Real Vulnerabilities We Found

What 0% actually looks like in production.

Every impact below was generated by a frontier AI model, shipped as-is, and exploitable on first request.

$50K Twilio bill overnight

Bots flood your SMS endpoint with premium-rate international phone numbers. You pay per message.

Generated by Claude Opus 4.6
$0 MRR by morning

A competitor sabotages you and cancels all your paid subscriptions in seconds.

Generated by GPT-5.2
Open chatbot, your credit card

Hackers find your open chatbot and resell access to your OpenAI key. You pay for every token.

Generated by Gemini 3 Pro

How It Works

Three steps. No learning curve.

VibeCure tells your AI assistant which security patterns to use — ones it knows but won't apply unless asked. No scanning tools. No CI/CD pipelines. Just a curated file, kept updated as models change.

1

Run one command

VibeCure detects your AI assistant and writes the rules file. 10 seconds, done.

$ npx vibecure --key sk_live_•••••

 Detected: .cursorrules
 Wrote 8 categories (42 rules)
 Rules active
2

Your AI reads it automatically

Cursor, Claude Code, Copilot, and 5 others read rules files before generating code.

# .cursorrules

Before each paid API call, check
user's quota in usage_tracking
(user_id, resource_type, count,
period_start). Return 429 when
exceeded. Reset each billing cycle.
  ... 42 rules across 8 categories
3

Safer code, every time

Per-user quotas, auth checks, key externalization — your AI applies them without being asked.

// ✔ VibeCure rule — per-user quota
const usage = await db('usage_tracking')
  .where({ user_id, resource_type: 'sms' });
if (usage.count >= DAILY_LIMIT)
  return res.status(429).json({
    error: 'quota exceeded' });

No scanning tool. No CI/CD pipeline. No learning curve. One command, instant security rules.

What's Covered

8 launch categories. 14+ total. One rules file.

Each category targets a specific class of vulnerability that AI coding assistants consistently get wrong.

Launch
Rate Limiting, CAPTCHA & SMS Pumping
Prevent economic denial-of-service on paid API endpoints. Rate limits, bot protection, and OTP cooldowns.
Launch 📊
Per-User Quotas
Enforce usage caps per user on cloud services to prevent bill shock from a single abusive account.
Launch 🔑
API Key & Secrets Management
Externalize credentials to environment variables. Covers 15 services including Stripe, AWS, and OpenAI.
Launch 🛡
IDOR / Broken Access Control
Ownership checks on every CRUD operation. Users can only access their own data.
Launch 🔒
Row Level Security (Supabase)
Enforce RLS policies on every table. Prevent the CVE-2025-48757 class of data leaks.
Launch 👤
PII Protection
Hash passwords with bcrypt. Encrypt SSNs and sensitive PII at rest. Never store plaintext.
Launch 🔄
Password Reset Security
Crypto-random tokens, expiry windows, single-use enforcement, and rate limiting on reset flows.
Launch 🔍
Data Exposure
Filter API responses to return only the fields the client needs. No full database rows.
Coming Soon
Sensitive Data Logging OTP Code Leakage CORS Misconfiguration Typosquatting Protection Firebase Auth Security LLM Token Burn
Works with
Cursor Claude Code GitHub Copilot Windsurf Cline Aider Continue Codex

Pricing

Evidence-based security for every budget.

Every tier includes rules validated against frontier AI models.

Free
$0
Start with the two highest-impact categories and see the difference immediately.
  • 2 categories (EDoS + quotas)
  • Formatted for all 8 assistants
  • Evidence reports included
  • One-command install, instant setup
Get Free Rules
Most Popular
Rules Bundle
$29 /year
All categories, all updates, all new rules as AI models change and new threats emerge.
  • All 8 launch categories + future additions
  • Rules updated when models change
  • Formatted for all 8 assistants
  • Evidence reports per category
  • npx vibecure@latest updates
Subscribe — $29/yr

LemonSqueezy checkout coming soon.

Security Review
$499+
Send your vibe-coded repo. Get a scored security report with specific remediation steps.
  • Full repo security audit
  • Scored report per category
  • Specific fix recommendations
  • 1:1 walkthrough call
  • Priority support for 30 days
Request a Review

Stay in the Loop

Join vibe coders building secure apps.

New security rule categories drop to subscribers first.

Request a Security Review

Tell us what you need and we'll follow up within 24 hours.