Auditor 1Auditor 2

Hire a human developer to audit your vibe-coded app.

A real developer battle-tests your app from every angle — clicking through every customer flow the way your users (and attackers) will. We surface the logic flaws a scanner can't see and you'd never think to check: the ones every app, vibe-coded or not, quietly ships with. Then we ship the fix as a pull request you approve.

A scanner sees the outside. A developer sees what breaks.

An automated scan catches exposed keys, missing headers, world-readable databases. It can't click through your signup, stack a coupon, replay a webhook, or jump between two users' orders. A real developer does — testing your app the way your users and attackers actually will, and finding the logic flaws every app, vibe-coded or not, quietly ships with.

~ 6s

What runs on every URL.

Free or $19. No signup. Read-only. Catches the technical misconfigurations that AI tools ship by default.

  • Security headers (CSP, HSTS, XFO, ...)
  • Cookie flags (Secure, HttpOnly, SameSite)
  • Secrets in JS bundles (Stripe sk_live, OpenAI, AWS)
  • Platform fingerprint
  • Supabase RLS probing (CVE-2025-48757)
  • Firebase Realtime / Firestore rules
  • Exposed files (.env, .git, backup.sql, source maps)
  • Open-redirect via discovered params
Human checker2–3 weeks

What only a human can confirm.

From $300, fixed scope. Real engineers running real flows. Fix shipped as a pull request you approve.

  • Trial / promo abuse (Stripe fingerprint dedup)
  • IDOR / BOLA (multi-account testing)
  • Business-logic flaws (race conditions, step-skipping)
  • Payment-webhook signature integrity
  • Stored XSS + second-order injection
  • BOPLA — field-level authorization
  • LLM excessive agency / agent blast-radius
  • Compliance signals (GDPR / PCI / HIPAA)

// what a human catches

The checks that need a human.

Each of these requires multiple test accounts, real payment flows, knowledge of your intended access model, or code review. A URL-only scanner can flag candidates — only a human can confirm and fix them.

01

OWASP API6:2023 · A04:2025

Trial / promo abuseMost asked for

Every SaaS needs this and almost none have it dialed in. We sign up multiple times with new emails and the same payment method, attempt plus-addressing (foo+1@gmail.com), gmail dot-stripping, fresh devices, and VPN'd IPs — and document exactly what your dedup catches.

A founder we know watched their friend stack six free trials on a $39/mo SaaS by changing the email and reusing the same card. The fix was a 30-minute change to dedupe on Stripe's card.fingerprint. Most teams never check that field.
02

OWASP API1:2023 · CWE-639

IDOR / BOLA confirmation

OWASP WSTG mandates ≥ 2 authenticated accounts to reliably test for insecure direct object references. We log in as User A, change /orders/123 to /orders/124, and document whether User B's data leaks back.

03

OWASP A04:2025 · API6:2023

Business-logic flaws

Race conditions on concurrent state changes, multi-step workflows that accept POSTs skipping earlier steps, coupon stacking, negative-quantity carts. Code that does the happy path correctly but breaks under adversarial use.

04

OWASP API8:2023 · CWE-345

Payment-webhook integrity

Stripe / PayPal webhooks must verify HMAC signatures and reject replays. We attempt forged webhooks against your endpoint and audit the verification path. Missing signature checks have leaked > $200K in our case-study research.

05

OWASP A05:2025 · CWE-79

Stored XSS + second-order injection

Payloads that only fire after persisted data is rendered by a second user. We submit canary content as User A and audit how the app renders it for User B in admin views, exports, notifications, and emails.

06

OWASP API3:2023

BOPLA — field-level authorization

Whether role A should see field X but not Y on the same resource. Requires understanding your intended access model — a scanner can't guess what each field is supposed to permit.

07

OWASP LLM06:2025

LLM excessive agency / agent blast-radius

For apps with agentic tool-calling — Cursor or Devin-built backends, Claude Code agents — what tools the agent can invoke, with what permissions, and whether the autonomy boundary is appropriate. This is review work, not endpoint probing.

08

GDPR · PCI · HIPAA

Compliance signals

Whether your data handling meets the laws you're subject to. Cookie consent, data residency, retention policies, DPAs with sub-processors, BAAs if you touch health data. Legal posture, not technical — needs a human eye.

Named engineers. Direct line.

No outsourcing. No project-manager middle layer. The same engineer who scopes the audit reviews and signs the PR.

AS

Ali Saeed

Founder & lead engineer

Production engineer fluent in the vibe-coding stack — React, Node, PostgreSQL, Supabase, Vercel — and the AI builders (Claude Code, Cursor, Lovable, Bolt). Runs every scoping call. Reviews every PR before it ships.

  • 10+ years production engineering
  • Vibe-coding native (Lovable / Bolt / Cursor)
  • Built bleek's own scanner from scratch
SR

Senior reviewer

Security review · placeholder

Second pair of eyes on every audit. Background in application security and secure code review. (Profile coming soon — replace headshot via Studio when added.)

  • Application security background
  • OWASP WSTG-driven methodology

// how the audit runs

Four steps. Two to three weeks.

  1. 01

    Scoping call (30 min)

    We walk through your app together, agree on the audit scope, and write down a fixed-price quote. No retainer, no surprises.

  2. 02

    Read-only access

    Add us as read-only collaborators on your repo + provide two test accounts. NDA on request. Access revocable any time.

  3. 03

    Audit + report

    We run every applicable check from the list above. You get a prioritized report with severity, evidence, and a proposed fix for each finding.

  4. 04

    Fix shipped as a PR

    We open one PR per finding for you to review and merge. Demo / re-test included.

Your repo stays yours

Read-only access by default. We open pull requests; you merge them. We never push directly.

Fixed scope, fixed price

Agreed up front in the scoping call. No hourly billing surprises.

No middle layer

A real engineer runs your audit and you talk to them directly — no project manager, no offshore team, no ghosting.

Get on a call.

We'll scope your audit in 30 minutes and quote a fixed price. If your app doesn't need an audit, we'll tell you that too.