vibecoded.fail

shipramen // security ctf

Can you hack these vibe coded startups?

Nine vibe coded startups, each one one-shotted by a founder who told the AI to “just make it work” and shipped whatever it produced, unread. The AI was confident and competent. The founder never looked. Every site hides a real, textbook vulnerability for you to find.

~/startups - zsh

$ ai "build me a billion-dollar app" --yolo

generated 1 landing page, 0 tests

deployed to production

! 1 vulnerability shipped (undetected)

choose your run

leaderboard

You can switch modes before your first capture; after that the run is locked to your pick. These play best on a desktop with developer tools handy. The leaderboard and your share card work anywhere.

01how it works
01

Start at level one

The nine startups unlock in order. You begin at the first and work up the ladder, one capture at a time. No skipping ahead.

02

Find the flaw, capture it

Every site hides one real vulnerability its founder shipped blind. Find it, capture its flag and drop the flag to clear the level.

03

Read the reveal, unlock the next

Each capture opens the AI-transcript reveal that shows how “just make it work” produced the bug, then unlocks the next startup.

02the lineup

Nine startups, nine different faces, the same slop underneath. Each hides a different real vulnerability.

  1. Synthwave.ai

    L1
  2. Kickstart.ai

    L2
  3. Chatly.ai

    L3
  4. Quantum Labs

    L4
  5. DataPilot

    L5
  6. Velocity.ai

    L6
  7. Cohort.ai

    L7
  8. SupportGenie

    L8
  9. MetaCorp

    L9
03the fine print

// no real startups were harmed

The bugs are the kind that ship to production every week. Bring your DevTools, your curiosity and a healthy distrust of anything an AI shipped “for now.”