Newsletter
|
Jun 20, 2025
Vibe coding is great, but it comes with security risks and backend scalability concerns
Copy Link
Copy Link
Vibe coding has become one of the most discussed, mass-market opportunities in artificial intelligence (AI) over the last year. Vibe coding is an approach to software development where you describe what you want in plain language and let an AI generate, refine, and debug the code for you, shifting the programmer’s role from writing code to guiding and supervising the AI’s output.
This has become one of the hottest markets for startups with companies like Cursor ($9.9bn valuation), Lovable ($1.5bn valuation), Bolt ($700m valuation), and Windsurf ($3bn valuation) attracting significant investment and M&A interest.
The main premise of vibe coding, and why these companies have found quick adoption, is that they allow consumers to quickly move from idea to prototype to potential live product without needing to know how to code. Due to large language models (LLMs) and natural language processing (NLP), end users only need to describe what they want to build, and AI will write the code.
Through the 2010s and still today, software has been standardized in a way that required consumers or businesses to mold themselves around their preferred software. Whether it was a customer relationship management tool (CRM) or an email client, customers have had to adapt to use products, while products have not adapted to users and their preferences. With vibe coding, we are seeing a resurgence of custom software opportunities where customers can build software for their individualized needs.
This has second-order effects, which could allow for a new creator economy to spawn. Since the cost and time to develop applications are drastically plummeting, marketplaces can be created that allow creators to build specific applications that can be downloaded and used or even forked so that consumers can take pre-built applications and fine-tune them even further. There could be a future where personal applications that typically cost thousands of dollars to build (not to mention costs associated with ongoing development) can be bought, downloaded, and modified cheaply. Etsy for custom software.
Separately, this could create a shift in how SaaS businesses operate. Similar to how Substack gives people tools to build a newsletter business without having to worry about hosting, payments, communications, etc., we believe vibe coding platforms can create new business opportunities for creators to sell their applications while charging a small fee on top to manage, update, or create new versions for different use cases.
On the surface, it is easy to see the similarities between no/low code and vibe coding. No/low code’s initial opportunity was described as one that would allow anyone, through visual interfaces, drag-and-drop tools, and some minor coding capabilities, to create applications or games. The issue that arose was that the platform naturally limited what could be created. This is a core reason why no-code game platforms struggled - you had to work with what was available. You had to work with what was available. If there was not an exact template for what you wanted to build, you could not realize your imagination. This significantly limited creative novel experiences from emerging on these platforms
With vibe coding, instead of using the tools and framework offered by platforms, you simply explain what you want and it is built. With companies like Cursor being natively embedded within an integrated development environment (IDE), whether or not you are brand new to building applications or an experienced developer that just wants additional support, the platform supports your workflow.
Vibe coding has its risks, namely around security. Unlike no/low code platforms, vibe coding platforms will build out whatever users can imagine; most users will not actually understand what the code does or how to safeguard their product from vulnerabilities.
For example, cross-site scripting (XSS) is a website security flaw that lets attackers inject malicious code into web pages that others see and use. When someone visits a page with this hidden code, their browser runs the malicious code as if it were part of the real website, allowing hackers to do things like crash websites and steal customer data. This is exactly what happened in 2018 with British Airways, where hundreds of thousands of customers' payment data was stolen.
XSS and other vulnerabilities like broken access controls, injection attacks, or cryptographic failures could be a significant problem in vibe coding because AI-generated code often lacks proper security safeguards. Many software developers today, even if they can code, are not security experts and vulnerabilities are already a major issue on our web - vibe coders with no software development or security backgrounds will only proliferate and exacerbate these risks.
If an attacker finds vulnerabilities in an app built with vibe coding, they can inject malicious scripts that steal user data, hijack sessions, deface the site, or launch further attacks. While these platforms offer free-flowing, imaginative coding, the risks around users understanding what their code allows for are vast.
A lot of current vibe coding platforms, like Lovable or Bolt, are geared towards front-end development (especially for rapid prototyping, UI design, and building user-facing applications) and do not automatically set up backends because backends are highly variable and often depend on specific needs (e.g., business logic, data processing, security, integrations, and communication with the frontend through APIs). This opens up even more potential issues.
Without deep backend experience, users setting up their own backends can result in even more risks. While it is easy to vibe code, when a user wants to deploy an application, they need to answer questions like “where will the backend be hosted?”, " what type of database will I use?”, "how will I implement authentication and authorization?”, and "how do I build out the backend to scale and handle increased traffic or data volume?” These are questions that the vast majority of the non-technical population would have no knowledge on how to answer.
Without having expertise, users may misconfigure aspects of their backend exposing sensitive data or have inadequate backup resulting in data loss. If a user builds out a backend that lacks scalability, it may create downtime or degraded performance as usage grows.
Another issue with these platforms is that while they promise to enable a creator to fully build and launch a product, they tend to fall short, especially with more complex applications. It is not uncommon to get caught in a conversational loop where the AI can not output what you expect, especially with dozens of files and programs involved.
These technical limitations arise from the “context windows” concept in LLMs. LLMs can only process information within their context window. If your application or codebase exceeds this limit, the model loses access to earlier details, leading to incomplete or inconsistent outputs.
Takeaway: Vibe coding is changing how people build software, making it possible for anyone to turn their ideas into working apps just by describing what they want in everyday language. Instead of needing to know how to code, users guide the AI, which writes and tweaks the code for them. Of course, this freedom comes with risks: most creators will not know if their AI-generated code is secure or if their app’s backend is set up properly, which could lead to security issues or lost data. Still, vibe coding is making software more personal and accessible, and while there are challenges to solve, it is clear this approach is changing the way we think about building and using technology.