1,765 Apps scanned 456 Critical findings 3339 High findings 54,389 Total findings 85 Apps with CRITs 2,139 Scan runs Per-platform CRIT rate Platform Scanned With CRIT Rate YC companies (W21–F25) 200 0 0% Lovable 476 34 7.1% Bolt.host 289 21 7.3% Replit 194 4 2.1% Vercel (v0/AI) 67 2 3.0% Streamlit 90 0 0% Other 53 3 5.7% Finding breakdown Top CRIT categories across all scans: Supabase RLS off — 96% of all CRITs. Tables with real user data readable by anyone with the public anon key. API keys in JS bundles — OpenAI, Anthropic, Google, Stripe keys shipped client-side. 15% of Bolt.host apps affected. IDOR / broken access control — sequential IDs on API endpoints returning other users' data. Unauthed APIs — entire OpenAPI specs with zero security schemes defined. Private key material in production — PEM-format keys bundled by Webpack/Vite. Methodology Targets sourced from certificate transparency logs, Google search, and platform directories. All scans are read-only (GET + minimal POST probes). 50+ scanner modules per target. Every CRIT finding verified reproducible before disclosure. Private disclosures sent to all identifiable owners before publication. Scanner: securityscanner.dev — open to anyone. One free scan, no card. Detailed write-ups Lovable vs Bolt vs Replit: per-platform RLS breakdown → Beyond Supabase RLS: 5 other critical vulnerabilities → Top 5 Supabase RLS mistakes on Lovable apps → Top 5 security issues on Replit apps → This report is updated as we scan more apps. Data as of April 2026. Questions or corrections: [email protected] .