How VibeScan works.
This page explains exactly how VibeScan scans apps, what evidence each check uses, what VibeScan cannot see, and where false positives can occur. Transparency is how a security tool earns trust.
The scanning model
VibeScan is a black-box scanner — it tests only what is publicly visible from the outside, without any code access, credentials, or authentication. This is the same view an attacker or any anonymous visitor has.
Every scan is a series of real HTTP requests made from VibeScan's servers to your app. We make no attempts to authenticate, exploit vulnerabilities, or modify data. We observe and report — nothing more.
- ✓Make HTTP/HTTPS requests to your URL
- ✓Read publicly visible response headers
- ✓Fetch and analyze public JavaScript bundles
- ✓Test CORS policy with synthetic origin headers
- ✓Check unauthenticated Supabase REST endpoints
- ✓Parse robots.txt and page HTML
- ✗Access your source code or repository
- ✗Attempt to authenticate as a user
- ✗Exploit vulnerabilities or extract data
- ✗Modify, create, or delete any data
- ✗Store your application's data
- ✗Share scan results with third parties
Individual checks
Each check is deterministic — based on a specific observable condition, not heuristics or scoring models.
Accuracy and limitations
False positives
VibeScan uses pattern matching on response data. In rare cases, a legitimate API key format in a public code example or documentation comment in a JS bundle may trigger a secrets finding. Every finding shows the raw evidence so you can verify it yourself. If you believe a finding is incorrect, email hello@vibescan.space.
False negatives
VibeScan cannot see authentication-gated content. If your admin panel is behind a login, VibeScan cannot test whether the admin API routes are properly protected. It also cannot detect server-side vulnerabilities (SQL injection, server-side template injection, insecure deserialization) as these require sending crafted payloads, which VibeScan does not do.
RLS detection limitations
VibeScan detects signals of missing Row Level Security — specifically, whether unauthenticated requests to Supabase REST endpoints return row data. This is a strong indicator but not a definitive audit. A full RLS review requires examining your Supabase policy configuration directly.
CORS detection scope
VibeScan tests CORS on the root URL and detected API paths. It cannot enumerate all endpoints in your application. An endpoint VibeScan doesn't discover will not be tested.
Dynamic apps
VibeScan makes a single pass over your app. Findings in JavaScript that is loaded lazily (via dynamic imports or after user interaction) may not be detected.
Responsible disclosure
VibeScan is a security product and we take the security of our own infrastructure seriously. If you discover a vulnerability in VibeScan itself — in the scanning engine, the API, or any web property — please report it responsibly.
- 1.Email security@vibescan.space with a description of the vulnerability and steps to reproduce.
- 2.We will acknowledge receipt within 48 hours.
- 3.We will provide a timeline for remediation within 7 days.
- 4.We ask for 90 days before public disclosure to allow time to fix the issue.
- 5.We do not pursue legal action against researchers acting in good faith.
Data handling
When you run a scan, VibeScan processes your app's public HTTP responses on our servers. Here is exactly what we store and what we don't:
- ✓The URL you scanned
- ✓The scan results (findings + score)
- ✓The scan timestamp
- ✓A generated scan ID for the shareable link
- ✗Your source code
- ✗Full API key values (truncated only)
- ✗User account data from your app
- ✗Database contents
Questions about our methodology?
Reach out at hello@vibescan.space. We're happy to explain any check in detail.