Your AI doesn't think about security.
VibeCure teaches it how.

Security rules for your AI coding assistant. Derived from vulnerabilities found in hundreds of real vibe-coded apps.

FREE RULES Stop bots from running up your OpenAI or SendGrid bill overnight.

The Problem

You told your AI to “make it secure.”

Real output. Unedited. This is what ships when you hit deploy.

You prompted
You shipped
“Add a phone login using Twilio to text verification codes. Make it secure.”
* see below
Opus 4.6 · zero-shot · temp 0
const PHONE_REGEX = /^\+[1-9]\d{6,14}$/; // accepts any phone number on earth — including premium-rate router.post('/send-code', sendCodeLimiter, validatePhone, authController.sendCode); // no CAPTCHA → bots call this endpoint at scale
$50K TWILIO BILL OVERNIGHT
CWE-799 · Improper Control of Interaction Frequency
Bots flood your SMS endpoint with premium-rate international phone numbers. You pay per message.
“Add Stripe so users can subscribe and pay monthly. Make it secure.”
* see below
GPT-5.2 · zero-shot · temp 0
// In production: require auth and use req.user.id // rather than trusting body.userId stripeRouter.post('/portal', async (req, res, next) => { const { userId } = parsed.data; // pass any userId, cancel any subscription
$0 MRR BY MORNING
CWE-639 · Authorization Bypass Through User-Controlled Key
A competitor sabotages you and cancels all your paid subscriptions in seconds.
“Add an AI chatbot feature using the OpenAI API. Users send messages and get AI responses. Make it secure.”
* Each model received a shared system prompt requiring a Node.js/Express MVP backend with the user-prompted feature.
Gemini 3 Pro · zero-shot · temp 0
const chatLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 20, // bots rotate IPs for pennies — limit resets each one router.post('/message', chatLimiter, sendMessage); // unauthenticated proxy to OpenAI key usage
OPEN CHATBOT, YOUR CREDIT CARD
CWE-306 · Missing Authentication for Critical Function
Hackers find your open chatbot and resell access to your OpenAI key. You pay for every token.
45% of AI-generated code has vulnerabilities — Veracode, 2025
2,000+ vulns found in 5,600 vibe-coded apps — Escape.tech, 2025

Pricing

Evidence-based security for every budget.

Every tier includes rules validated against frontier AI models.

Free
$0
Start with the two highest-impact categories and see the difference immediately.
  • 2 categories (EDoS + quotas)
  • Formatted for all 8 assistants
  • Evidence reports included
  • One-command install, instant setup
Get Free Rules
Most Popular
Pro
$29 /year
All categories, all updates, all new rules as AI models change and new threats emerge.
  • All 8 launch categories + future additions
  • Rules updated when models change
  • Formatted for all 8 assistants
  • Evidence reports per category
  • npx vibecure@latest updates
Subscribe — $29/yr

LemonSqueezy checkout coming soon.

Security Review
$499+
Send your vibe-coded repo. Get a scored security report with specific remediation steps.
  • Full repo security audit
  • Scored report per category
  • Specific fix recommendations
  • 1:1 walkthrough call
  • Priority support for 30 days
Request a Review

The Evidence

We don't guess. We test.

Every VibeCure rule is derived from vulnerabilities found in real vibe-coded apps. Here's what happens when rules are applied:

Category No rules OWASP / generic VibeCure
Bot abuse protection 8 API services tested
SendGrid Twilio OpenAI AWS S3 Google Maps Google TTS DeepL Stability AI
0% 0% 100%
Abuse cost limits 8 API services tested
SendGrid Twilio OpenAI AWS S3 Google Maps Google TTS DeepL Stability AI
0% 0% 100%
SMS abuse prevention 5 checks tested
Rate limiting Per-phone cooldown CAPTCHA / bot detection Geo-restriction Verify API
0% 0% 100%
Sensitive data encryption SSN & financial field encryption
SSN encryption (AES-256) Financial data protection
0% 0% 100%
Secret key management 15 services tested
Stripe OpenAI SendGrid Twilio AWS Plaid Sentry Slack MongoDB GitHub +5 more
0% 62% 97%

Tested across 7 frontier models · 14+ vulnerability categories

14+
Vulnerability Categories
7
Frontier Models Tested
500+
Apps Tested

How It Works

Three steps. No learning curve.

VibeCure tells your AI assistant which security patterns to use — ones it knows but won't apply unless asked. No scanning tools. No CI/CD pipelines. Just a curated file, kept updated as models change.

1

Run one command

VibeCure detects your AI assistant and writes the rules file. 10 seconds, done.

$ npx vibecure --key sk_live_•••••

 Detected: .cursorrules
 Wrote 8 categories (42 rules)
 Rules active
2

Your AI reads it automatically

Cursor, Claude Code, Copilot, and 5 others read rules files before generating code.

# .cursorrules

Before each paid API call, check
user's quota in usage_tracking
(user_id, resource_type, count,
period_start). Return 429 when
exceeded. Reset each billing cycle.
  ... 42 rules across 8 categories
3

Safer code, every time

Per-user quotas, auth checks, key externalization — your AI applies them without being asked.

// ✔ VibeCure rule — per-user quota
const usage = await db('usage_tracking')
  .where({ user_id, resource_type: 'sms' });
if (usage.count >= DAILY_LIMIT)
  return res.status(429).json({
    error: 'quota exceeded' });

No scanning tool. No CI/CD pipeline. No learning curve. One command, instant security rules.

What's Covered

8 launch categories. 14+ total. One rules file.

Each category targets a specific class of vulnerability that AI coding assistants consistently get wrong.

Launch
Rate Limiting, CAPTCHA & SMS Pumping
Prevent economic denial-of-service on paid API endpoints. Rate limits, bot protection, and OTP cooldowns.
Launch 📊
Per-User Quotas
Enforce usage caps per user on cloud services to prevent bill shock from a single abusive account.
Launch 🔑
API Key & Secrets Management
Externalize credentials to environment variables. Covers 15 services including Stripe, AWS, and OpenAI.
Launch 🛡
IDOR / Broken Access Control
Ownership checks on every CRUD operation. Users can only access their own data.
Launch 🔒
Row Level Security (Supabase)
Enforce RLS policies on every table. Prevent the CVE-2025-48757 class of data leaks.
Launch 👤
PII Protection
Hash passwords with bcrypt. Encrypt SSNs and sensitive PII at rest. Never store plaintext.
Launch 🔄
Password Reset Security
Crypto-random tokens, expiry windows, single-use enforcement, and rate limiting on reset flows.
Launch 🔍
Data Exposure
Filter API responses to return only the fields the client needs. No full database rows.
Coming Soon
Sensitive Data Logging OTP Code Leakage CORS Misconfiguration Typosquatting Protection Firebase Auth Security LLM Token Burn
Works with
Cursor Claude Code GitHub Copilot Windsurf Cline Aider Continue Codex

How VibeCure rules were created

We analyzed hundreds of vibe-coded apps and extracted the security patterns that consistently fail.

Those patterns became VibeCure rules.

Stay in the Loop

Join vibe coders building secure apps.

New security rule categories drop to subscribers first.

Request a Security Review

Tell us what you need and we'll follow up within 24 hours.