6 things every vibe-coded app needs to pass before you launch.

The Wiz study (May 2026) found 20% of vibe-coded apps in production have serious vulnerabilities. Master of Code (May 20 2026) found 45% ship with at least one security flaw. Martin Fowler's "VibeSec Reckoning" called it systemic. Most of the gaps are checkable in 30 minutes by a non-technical founder with a checklist. The $99 human read applies the same checklist to your live app and gives you a stop/go list before paid traffic.

The 6 sections, in order

Intake forms

Where do submitted emails / uploads / accounts actually go? Is there server-side validation? A delete / redact path? Highest-blast-radius section in 2026 — silent data leaks start here.

Privacy copy

Is the privacy policy specific to what the app actually does? Honest about retention? Has a working contact path? Regulator's first stop if a complaint lands.

Checkout evidence

Is the processor the one you think it is? Can you prove a payment from the processor dashboard, not the app? Is there a refund path? Is test mode separated from live?

Upload boundaries

Hard size cap? Content-type check (not just extension)? Upload dir outside the web root? Top-3 source of vibe-coded incidents — defaults are permissive.

Auth promises

Passwords hashed, not stored plain? Session expiry? Login rate limit? Token-based, time-limited password reset? Each missing check is a different incident shape.

Fulfillment claims

Is every marketing claim something the app does today? Is the "powered by" claim honest? Is there a stated delivery window for human actions? The gap between claim and reality is the silent cancellation driver.

The 30-minute self-audit score bands

Walk the 6 sections, score yes/no per question (23 questions total). Then look at your band.

22-23 / 23 · Ready

Ready for paid traffic. Keep the checklist. Rerun before every major change.

17-21 / 23 · Probably

The 1-3 gaps are fixable in a half day. Fix them, then launch.

12-16 / 23 · Not ready

The gaps compound. Pick the 3-5 highest-blast-radius fixes before any traffic that could be regulated.

0-11 / 23 · Not ready

Not safe to take real user data or real money. Either do the work, or pause the launch.

What you get for $99

Within one business day of receiving your public URL or sanitized export, you receive:

The same 6-section, 23-question checklist applied to your live app, with yes/no per question and the specific URL / form / config that drove the decision.
A prioritized fix list — the 3-7 changes that close the highest-blast-radius gaps first.
A stop/go recommendation for the launch date you gave me, and the conditions under which the answer flips.
One async follow-up if the first 3 fixes raise new questions.

What it is not

This is not a penetration test, not a security certification, not a legal opinion, not a compliance attestation, and not exploit testing. It is a practical launch-safety triage with a human review gate. The first public customer report is reviewed before delivery. If your intake is rejected as unsafe, unauthorized, out of scope, or impossible to fulfill without secrets / protected access, the order is refund-gated rather than delivered dishonestly.

What it costs

Buy the $99 launch safety auditone-time · USD · 1 business day delivery · invoice via email

Read the full service descriptionscope, intake rules, redacted sample report

When a 30-minute self-audit is not enough

Three situations where the $99 read is the right floor, not the ceiling:

You are about to take EU traffic. EU AI Act Article 17, GDPR enforcement 2025-2026, Colorado AI Act (June 2026) all add a layer the 30-min audit does not cover.
You are about to take regulated data. Health, financial, education, employment, government, biometric, children's data.
You have already had an incident. Complaint, chargeback, or "delete my data" request you could not fulfill.

For those cases, the $149 AI Ops Checkup is the production-agent forensic read; the $299 LLM Bill Triage is the cost-explosion read.

If you would rather do the 30-minute self-audit first, the dev.to article walks every question in order: The 6 things every vibe-coded app needs to pass before you launch it in 2026.