# bleek — Find every leak in your vibe-coded app

> Free security scanner for applications built with AI code generation tools (Lovable, Bolt.new, Cursor, Claude Code, v0, Replit, Windsurf, Base44). Paste a URL — bleek finds every leak in 60 seconds.

## Sections

- Homepage (https://bleek.dev/) — animated scan demo, OWASP-anchored coverage list, 3-tier pricing, named-founder trust strip
- Scan (https://bleek.dev/scan) — free URL-based security scanner, 8 of 14 Phase-1 checks live
- Human Audit (https://bleek.dev/human-audit) — the 8 checks no URL scanner can do (trial/promo abuse, IDOR, business logic, payment webhooks, stored XSS, BOPLA, LLM agent blast-radius, compliance). Fixed-scope sprints from $300.
- About (https://bleek.dev/about) — founder bio (Ali Saeed), mission, why bleek exists
- Insights (https://bleek.dev/insights) — case studies, CVE deep-dives, field notes from rescuing vibe-coded apps
- Free tools (https://bleek.dev/tools) — single-purpose security checks (SSL, headers, email, breach, password)
- CMS (https://bleek.dev/studio) — Sanity-powered admin, not for public crawling

## About bleek

bleek scans live URLs for the security failure modes that AI code generation tools ship by default. We focus on apps backed by Supabase, Firebase, Vercel, Netlify, and Railway — the stacks that vibe-coded apps live on. Read "leak" — the product finds leaks (exposed Supabase service_role keys, Stripe sk_live in your JS bundle, RLS-off tables, auth bypasses, exposed .env / .git / source maps, missing security headers, dangerous CORS, and the rest of OWASP Top 10:2025 + LLM Top 10:2025).

## What We Scan For

- Exposed API keys and secrets in JS bundles (Supabase service_role, OpenAI, Stripe, AWS, GCP)
- Supabase Row-Level Security: extract anon key → enumerate tables → probe /rest/v1/<table>
- Firebase test-mode rules (Realtime DB + Firestore)
- HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
- Cookie flags (Secure, HttpOnly, SameSite)
- TLS protocol and cipher suite
- CORS misconfiguration (wildcards with credentials)
- Exposed files: .env, .git/config, source maps, /admin, /debug, /api-docs, /swagger.json
- Path traversal probes
- Reflected XSS and SQLi error-signature probes
- Open-redirect probes
- Authentication bypass via alternate path/channel (CWE-288)
- Unauthenticated state-changing endpoint detection
- Dependency vulnerability scan (Retire.js + OSV.dev)
- Vibe-coding-platform fingerprinting (Lovable, Bolt, v0, Base44, Cursor, Windsurf)

## What We Do NOT Claim

A URL-based scanner CANNOT confirm IDOR / BOLA without authenticated multi-account testing. It CANNOT confirm business-logic flaws, payment-webhook integrity, stored XSS, full system-prompt review (LLM07), or compliance posture. Those gaps are why bleek offers a human-checker tier — a named founder reviews the things a scanner cannot, and ships the fix as a pull request you approve.

## Tiers

- Free Scan — passive URL checks (headers, cookies, TLS, exposed files, public secrets). No signup.
- Deep Scan — $19 one-time — all 14 checks including Supabase RLS probing, Firebase rule probing, injection probes, AI-ready fix instructions.
- Human Checker — for everything a scanner can't confirm: IDOR, business logic, webhook integrity, AI-feature blast radius.

## Free Tools

Each tool is single-purpose, no signup. Live at https://bleek.dev/tools — placeholders for now, shipping in iterations:

- /tools/ssl-checker — cert validity, expiration, protocol + cipher quality
- /tools/security-headers — CSP, HSTS, X-Frame-Options, cookie flags graded
- /tools/email-security — SPF, DMARC, DKIM on any custom domain
- /tools/breach-checker — has this email turned up in any known breach
- /tools/password-strength — entropy + breach-list check, nothing leaves the browser

## Standards We Anchor On

- OWASP Top 10:2025 (web — A01 Broken Access Control, A02 Security Misconfiguration, A03 Software Supply Chain, A10 Mishandling of Exceptional Conditions)
- OWASP API Security Top 10:2023 (API1 BOLA, API3 BOPLA)
- OWASP Top 10 for LLM Applications:2025 (LLM01 Prompt Injection, LLM02 Sensitive Info Disclosure, LLM06 Excessive Agency, LLM07 System Prompt Leakage)
- 2025 CWE Top 25 (XSS #1, SQLi #2, Missing Auth, Path Traversal, IDOR)

## Why bleek Exists

CVE-2025-48757 documented that ~10% of Lovable apps (303 endpoints across 170 of 1,645 projects) ship with broken or missing RLS. Beesoul/Retool found ~70% of Lovable apps have RLS disabled outright. SupaExplorer found 11% of vibe-coded apps leak Supabase keys across 20,052 URLs scanned. AI tools generate working code fast but rarely ship the security configuration. bleek closes that gap.

## Founder

bleek is by Ali Saeed (https://bleek.dev/about). Named founder, no agency, no offshore team. Read-only by design. Your code stays yours.

## Contact

hello@bleek.dev