A two-founder fintech startup vibe-coded their entire MVP with Cursor and Bolt in three weeks. We found 34 critical vulnerabilities, hardened the codebase, and got them launch-ready in 11 days.
Client
Pre-Seed Fintech Startup
34
Vulnerabilities Fixed
11 days
Time to Launch-Ready
A+
Security Score
0
Post-Launch Incidents
Two non-technical founders built a personal finance aggregation MVP using Cursor and Bolt.new in three weeks — account linking, transaction categorization, and spending dashboards. It worked on localhost. But a CodeRabbit scan flagged 34 security vulnerabilities including exposed API keys in client-side bundles, zero input validation on financial data endpoints, hardcoded Plaid credentials in a public GitHub repo, missing CSRF protection on all state-changing operations, and IDOR flaws that let any authenticated user access any other user's financial data by changing the account ID in the URL. With a demo day six weeks away and ₹18L in pre-seed funding committed, shipping the app as-is would have been a regulatory and reputational disaster.
We ran our full Vibe Code Rescue pipeline. Day 1-2: automated scanning with OWASP ZAP, Snyk, SonarQube, and CodeQL across the entire Next.js + Supabase codebase. Day 3-5: manual review of authentication flows, API authorization logic, and Plaid integration security. We found the AI had generated a seemingly correct auth middleware that actually bypassed token verification on 6 of 14 API routes. Day 6-9: fixed all 34 vulnerabilities — rotated every exposed credential, implemented row-level security in Supabase, added input validation and rate limiting on every endpoint, set up CSRF protection, added security headers (CSP, HSTS, X-Frame-Options), and configured proper environment variable management. Day 10-11: penetration testing to verify all fixes, CI/CD pipeline setup with GitHub Actions including automated security scanning on every PR, and Dependabot for dependency monitoring. We also configured Sentry for error tracking and set up a pre-commit hook pipeline with gitleaks and ESLint security rules to prevent future credential leaks.
34
Vulnerabilities Fixed
Critical and high-severity issues remediated
11 days
Time to Launch-Ready
From audit start to production-hardened codebase
A+
Security Score
Mozilla Observatory and Snyk security rating
0
Post-Launch Incidents
Zero security incidents in first 90 days
Let's discuss how we can help transform your business with AI and automation solutions.
