Lovable, a vibe-coding platform, is downplaying a vulnerability report that exposed sensitive user information, including credentials and source code, to anyone with a free account. Initially, the company attributed the issue to "intentional behavior" and unclear documentation, but later shifted the blame to HackerOne, a bug-bounty service1. The researcher's findings highlighted a significant flaw in Lovable's security, allowing unauthorized access to sensitive data. The company's response has been inconsistent, sparking concerns about its ability to handle vulnerability reports. Lovable's actions demonstrate a lack of transparency and accountability, which can erode user trust. This incident matters to practitioners because it showcases the importance of a well-coordinated vulnerability disclosure process, highlighting the need for clear communication and prompt action to protect sensitive user data.
Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus
⚡ High Priority
Why This Matters
A lesson in how not to respond to vulnerability reports Vibe-coding platform Lovable is pooh-poohing a researcher’s finding that anyone could open a free account on the service.
References
- The Register. (2026, April 20). Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus. The Register. https://go.theregister.com/feed/www.theregister.com/2026/04/20/lovable_denies_data_leak/
Original Source
The Register
Read original →