Can you hack these vibe-coded startups?

Nine vibe-coded startups, each one one-shotted by a founder who told the AI to “just make it work” and shipped whatever it produced, unread. The AI was confident and competent. The founder never looked. Every site hides a real, textbook vulnerability for you to find.

~/startups - zsh

$ ai "build me a billion-dollar app" --yolo

✓ generated 1 landing page, 0 tests

✓ deployed to production

! 1 vulnerability shipped (undetected)

choose your run

leaderboard

You can switch modes before your first capture; after that the run is locked to your pick. Levels need DevTools, the network tab, and source inspection, so play on a desktop. The leaderboard and your share card work anywhere.

01how it works

Start at level one

The nine startups unlock in order. You begin at the first and work up the ladder, one capture at a time. No skipping ahead.

Find the flaw, capture it

View source. Open the network tab. Read the bundle. Every site hides a real vulnerability its founder shipped blind. Drop the flag to clear the level.

Read the reveal, unlock the next

Each capture opens the AI-transcript reveal that shows how “just make it work” produced the bug, then unlocks the next startup.

02the lineup

Nine startups. One prompt. Spot the difference. (You can't - that's the point.) Difficulty climbs from left to right.

Synthwave.ai
L1
Kickstart.ai
L2
Chatly.ai
L3
Quantum Labs
L4
DataPilot
L5
Velocity.ai
L6
Cohort.ai
L7
SupportGenie
L8
MetaCorp
L9

03the fine print

// no real startups were harmed

Every vuln here is faked, client-side, on purpose - the bugs are real patterns, the victims are fictional. Bring your DevTools, your curiosity, and a healthy distrust of anything an AI shipped “for now.”