How to interpret your results
After your scan completes, you get a security report with every finding and its severity. Here's how to read it and what to do with it.
Understanding severity levels
A Critical finding means sensitive data is actively exposed or your app is trivially compromised right now. An attacker could exploit this with a one-line script. Stop and fix this before anything else.
A High finding means your app has a serious misconfiguration that an attacker can realistically exploit. It requires them to craft a specific attack, but the barrier is low. Fix this before you grow your user base.
A Medium finding means your app is missing defenses that would mitigate common attack types. On their own they're not immediately exploitable, but they amplify the impact of other vulnerabilities. Fix them in your next planned deployment.
A Low finding is a hardening recommendation or an informational issue. It's worth fixing, but it's unlikely to result in a breach on its own. Address these when you have time.
What to do with your results
If you have any Critical findings — especially exposed API keys or no HTTPS — stop everything and fix those first. They represent active exposure, not theoretical risk.
High findings like wildcard CORS become more dangerous as you grow. An app with 10 users is less attractive than one with 1,000. Fix these before scaling.
Security headers are a one-time fix — add a vercel.json or next.config.js headers block and all Medium header findings disappear in a single deployment.
After you fix issues and redeploy, run VibeScan again to confirm the fixes are live. VibeScan checks what's actually served, not what's in your code.
What a clean report means
A VibeScan with all green checks means your app's publicly visible surface is well-configured. You have HTTPS, security headers, a locked CORS policy, and no exposed secrets in your page source.
It does not mean your app is perfectly secure — VibeScan can only see what an outside observer can see. Authentication logic, database access controls, and server-side configuration require code review. A clean VibeScan score means you've handled the most common and most easily exploitable issues.