cursor, claude code, v0, bolt, lovable, replit all ship code fast. they also ship the same handful of security holes over and over: secrets in client bundles, USING (true) RLS, public storage buckets, exposed service-role keys, missing tenant scoping. i read your repo, probe your staging, send a pdf in 48h. $199 fixed.
no calls. no slack channel. one pdf, ranked by exploitability, with code fixes you can paste in.
these are the bugs i keep finding in AI-generated mvps. same shape across supabase, firebase, nhost, pocketbase, appwrite, raw node.
the AI grabbed the admin key from .env because the page wouldn't compile. now it's in your js bundle and anyone can drop your tables.
the model "fixed" RLS errors by writing a policy that lets every user read every row. classic. i grep for it first.
uploads bucket left public so the demo works. now every customer's invoices are listable by url guessing.
NEXT_PUBLIC_* prefixed by accident, stripe restricted key shipped to browser, openai key in vite env. easy to spot, easy to abuse.
every query reads from orders with no where tenant_id = auth.uid(). multi-tenant SaaS where tenant A sees tenant B's data.
cron endpoint, webhook receiver, ai proxy, all reachable without a header check. anyone hits it, you pay the bill.
not a "security" bug until someone scripts it. AI loves while (cursor) with no max iterations. one bad input = 6-figure cloud bill.
if (user) {} instead of if (user?.id === resource.owner_id). logged-in user A can delete logged-in user B's stuff.
not a security agency. a builder who shipped real auditors and got burned by my own AI code first.
5 open-source BaaS security auditors on npm (supabase, firebase, pocketbase, appwrite, nhost).
~1500 weekly downloads on the supabase one.
14 critical leaks i found in my own production CRM after it was generated mostly by AI. write-up:
three steps. no meetings.
pay the stripe link. you get an email asking for a github invite (read-only) and an optional staging url. that's kickoff.
i grep, read, run my own tooling against your stack, and probe your staging url if you sent one. no calls, no async ping-pong.
you get a pdf with findings ranked by exploitability. each one has file + line, what's wrong, and the fix. ship the patches yourself.
the stuff people ask before paying.
$199 covers up to ~50k lines of app code (excluding node_modules / generated). over that, i'll quote you before starting or refund. i'm not going to pretend i read a million-line monorepo in 3 hours.
yes, send yours and i'll sign. plain mutual NDA, no weird clauses. if you don't have one i have a one-page template.
strongest on: next.js / react / svelte / astro front-ends, supabase / firebase / nhost / pocketbase / appwrite back-ends, node + python edge functions, stripe + webhooks. weakest on: native mobile, rust, embedded. ask me if you're unsure.
no pen-testing of production, no destructive payloads, no compliance paperwork (SOC2 / HIPAA / PCI). this is a code-and-config review with light runtime probing. if you need formal pen-test, hire a firm.
if my pdf has zero critical or high findings, i refund 100% via stripe. i still send the report. you keep it. this filters out repos that don't need me anyway.