Vibe Coding's Security Gap Gets a Dashboard
Vercel ships a Security Dashboard for misconfig sprawl. What it means for founders running Lovable, Bolt, v0, or Claude Code apps.
Platforms are starting to admit what founders already suspect: shipping fast with AI coding agents creates security debt nobody tracks. Today's clearest signal comes from Vercel, which just put a number on the problem. The rest of the day's vibe-coding chatter — guardrail debates, a viral overnight app — points at the same gap.
TL;DR
- Vercel's new Security Dashboard (private beta) flags missing 2FA, publicly accessible preview environments, and long-lived credentials across every project on an account.
- Vercel's own writeup names the cause: "coding agents make it easy to spin up new projects," so misconfigurations "add up quietly and quickly."
- Separately, Service Bindings now auto-handle auth and TLS between internal services — one less thing a human (or an agent) can leave open.
- Commentary at Vibing With AI argues the real issue was never the tool — it's the missing baseline for what "safe to ship" looks like.
Platforms are admitting the sprawl problem
Vercel's new Security Dashboard is worth reading closely, not because you're necessarily on Vercel, but because of what it targets. Per the changelog, it looks for team members without two-factor authentication, preview environments that are publicly reachable when they shouldn't be, and long-lived credentials sitting where short-lived ones belong. None of these are exotic. All of them are the kind of thing that happens when you spin up a project fast, add a feature fast, and never go back to check the settings.
That's the pattern with every AI builder — Lovable, Bolt, v0, Replit, Claude Code, Windsurf included. The agent gets you to "it works" quickly. It doesn't audit what got left open on the way there.
Guardrails are starting to catch up to speed
A few other Vercel changes point the same direction. Service Bindings now inject auth and TLS automatically when one service calls another inside a deployment, instead of leaving that wiring to whoever built the app. AI Gateway routing rules work like a firewall for model access — a team can now push one rule to block or reroute a model, rather than relying on scattered application code to enforce it.
The pattern: infrastructure providers are building default-safe plumbing because they've noticed builders — human or AI — won't reliably do it themselves. That's a tacit admission that the current baseline isn't good enough.
The baseline gap, in the wild
Vibing With AI has been circling this for a while. One post, "Vibe Coding Isn't the Problem. It's the Lack of a Baseline", argues the tool isn't what's producing "vibeslop" — the missing literacy about what a shipped app actually needs is. A companion piece, "Vibe Coding Needs Guardrails", pushes the same point further: without some shared definition of what "done" means, security review quietly falls out of the process.
Meanwhile, on r/vibecoding, someone's adblocker "did numbers" — built on a whim a week earlier, now getting real traffic. That's the founder experience in miniature: an app built in days can reach thousands of users before anyone circles back to check settings, credentials, or access rules. Speed to users has outpaced time to review. That gap is exactly what a security dashboard, or a five-minute manual check, is for.
FAQ
I don't use Vercel. Does this apply to me?
The dashboard is Vercel-specific, but the underlying problem isn't. Any platform that lets you spin up a project in minutes — Lovable, Bolt, Replit, v0 — has the same failure mode: settings that default open, credentials that don't rotate, preview URLs nobody remembers are public.
What should I actually check on my own app this week?
Three things Vercel's dashboard flags are a good checklist anywhere: is 2FA on for every account with access to your project, is your staging or preview environment reachable by anyone with the URL, and are any of your API keys or tokens long-lived when they don't need to be.
Is going viral itself a security risk?
Not by itself. But it removes your buffer. A misconfiguration that sits quietly with ten users can become a real incident with ten thousand. The adblocker case is a reminder that traffic can arrive faster than a security review does.
The bottom line
Nothing in today's roundup is a breach or a CVE. It's platforms and commentators converging on the same diagnosis: AI coding agents make shipping fast, and fast shipping quietly outruns security review. Vercel built a dashboard to close that gap for its own users. If your app lives elsewhere, the fix is the same idea without the dashboard — go back and check what's public, what's rotating, and who has access, before your app is the one that "did numbers."
Find your gaps before an attacker does.
Is My Site Hackable? scans your deployed app for the exact issues in this article — exposed keys, missing RLS, open buckets — and tells you what's real and what's a false alarm.
Run a free scan →