Vibe Coding Revolution Sparks Security Concerns as Startups Embrace AI-Generated Code

How vibe coding can make your software headaches worse, experts warn

Vibe coding enables one to program in plain English. However, it means speed over code review and rigor.Code quality may be inconsistent. Vibe coding has become the new must-do in technology shops. The term and methodology were first coined by Andrej Karpathy, co-founder of OpenAI, in February 2025. "I just see stuff, say stuff, run stuff, and copy-paste stuff, and it mostly works," he said at the time. Also: I've tested free vs. paid AI coding tools - here's which one I'd actually use "Unlike traditional AI-assisted coding or pair programming, vibe coding means you describe what you want in plain English," according to a report from v0. It also enables both professional and citizen developers to "let AI suggestions guide projects with little or no code review." One can even "trust the AI to handle heavy lifts like syntax, structure, and implementation. This shift transforms coding from a technical skill requiring years of training into a conversational interface that anyone can master in hours." (Disclosure: Ziff Davis, ZDNET's parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.) Early 2025 data show that 25% of Y Combinator startups had over 95% AI-generated code, commented Varun Badhwar, founder and CEO at Endor Labs. Vibe coding has emerged as the go-to approach to quickly building and developing new products. Veteran industry watcher David Linthicum thinks it is, especially at the enterprise level. "Vibe coding may work for personal projects or hackathons, but the real world demands something more substantial," he said in a recent LinkedIn post. "Businesses don't run on vibes -- they run on reliability, scalability, and maintainability. The longer an enterprise indulges in vibe coding, the harder and more expensive it becomes to standardize, refactor, and secure their systems." The lack of standards that come with vibe coding "means that code quality is wildly inconsistent," Linthicum also pointed out. "Features implemented one week are duplicative or incompatible with code written the next." And since vibe coding is a shortcut, it racks up technical debt. The cost of cleaning up after vibe coding is huge. What may start as 'move fast and break things' too often becomes move fast and break everything, then spend a fortune rebuilding it." Vibe coding apps "keep hitting vulnerabilities: exposing secrets, access misconfigurations, hardcoded credentials," according to v0. Also: Why AI coding tools like Cursor and Replit are doomed - and what comes next For startups and smaller businesses, the risk grows. "As bad actors grow more sophisticated and find new ways to achieve remote code execution, the stakes are going to grow for amateur vibe coders," Badhwar cautioned. The smaller the organization, the more difficult and costly it is to recover from a breach. "Basing products entirely off AI-generated code is risky." In some ways, vibe coding may amplify and scale issues with human coding. "People don't do code reviews enough," Brandon Evans, senior Instructor at SANS Institute, told ZDNET. "This is accelerated by vibe coding. We have been neglecting the reviewing of human-written code as well." Vibe coding, powered by GitHub Copilot or any AI tool, "helps in generating responses quickly but often skips best practices, documentation, and structured design," agreed Naga Santhosh Reddy Vootukuri, principal software engineering manager at Microsoft and author of Vibe Coding with GitHub Copilot. "You need to iterate multiple times or pass in right context a right prompts to achieve your desired results." Also: Bad vibes: How an AI agent coded its way to disaster Vootukuri identifies the primary dangers of vibe coding as "security vulnerabilities, rapid technical debt, fragmented architectures, and code nobody understands or can maintain." Security is a worrisome issue, as "AI-generated suggestions may look functional but hide subtle bugs or even create new attack vectors," he added. "Security oversight and deep expertise are critical in avoiding "time and effort in rewriting, support headaches, and unreliable software," At the same time, the issues with vibe coding aren't necessarily new. "Code generation tools aren't new," said Louis Landry, chief technology officer at Teradata. "We've had scaffolding, templates, and code generators for decades. What's different now is the scope of what's possible. It feels magical because it is. You can rapidly prototype and explore experiences and integrations that would've taken too much time to justify before. But the fundamentals haven't changed: Dev teams are responsible for the code they ship, whether a human or machine wrote it. Code review is critical regardless of the source." However, Landry continued, "the problem is when teams skip that review process because the output looks polished. We're early in the maturity curve here. The technology is powerful, but the discipline around it hasn't caught up yet." Landry also cautioned against technical debt that may build up with vibe-coding shortcuts. Also: How to vibe code your first iPhone app with AI - no experience necessary "Bridging speed with discipline is key -- success comes when teams merge AI-driven creativity with robust workflows and clear standards," said Vootukuri. "Treat AI outputs as rough drafts, never production-ready code. Maintain rigorous reviews, run static analysis, and follow strict coding standards. Document each use of AI and always cross-check security-especially on anything customer-facing or sensitive. With experience and time, you can improve on the prompts and ask the right questions to LLMs, enforce mandatory peer reviews within your team, automate CI tests, and clear alignment with business goals, all help ensure that AI remains an accelerator, not a liability."

Why security is paramount for entrepreneurs in the vibe coding era

Vibe coding may very well be the phrase of the year. It's not only the center of developer conversations, but making its way to the forefront for the aspiring entrepreneur's mind as well. In fact, early 2025 stats show that 25% of Y Combinator startups had over 95% AI-generated code. Even earlier innovators and entrepreneurs are leveraging the technology to quickly churn out products, with 34% of no-code solopreneurs becoming profitable within six months of launch. These stats should stop anyone in their tracks. Vibe coding is breaking down barriers to innovation and turning the inception of an idea to a customer-facing product at a pace that is only possible with AI. Lower costs to build and iterate mean that entrepreneurs can bootstrap more easily, extend their runway and don't need as much upfront capital. As a result, they test out more ideas with a lot less risk in the prototyping stage, a luxury that entrepreneurs never had until now. However, like with any transformative technology, it also deserves a critical eye. It should be noted that these upsides are not exaggerated. It's remarkable to witness the power of AI-assisted coding and the potential it's been able to unlock thus far. However, code dependencies are an inevitable part of vibe coding and a lack of security guardrails can introduce vulnerabilities that fly under the radar. Without an understanding of this lesser-known reality of coding innovation, this can take entrepreneurs from an overnight success to an overnight headline - and not in a good way. That is why industry experts have a responsibility to create a realistic narrative around the topic. Entrepreneurs need to understand there is a critical difference between relying on vibe coding to ideate on or test a product vs. launching and scaling it. An important first step to ensuring vibe coding risks and considerations are understood is by taking a look at how it's being approached by the mass majority today. While it has exploded in popularity over recent years, it was not intended to be used the way we so commonly see it being used today. The most concerning narrative is around using it as a tool to remove humans from the equation. For entrepreneurs, removing experts from the practice of coding comes with steep risks. Unlike more established companies, these individuals don't have the resources to weigh in on critical vulnerabilities and potential issues that can arise when trying to scale their product. Ultimately, these issues can lead to technical debt and a lack of fundamental understanding of the product and its security layers. While it may seem paradoxical, what created vibe coding's popularity - its use amongst non technical professionals - is what makes it a massive risk without the proper precautions in place. Entrepreneurs that use vibe coding have to understand how these agents are trained. The large language models (LLMs) these agents are built from are pre-trained on open source datasets that include publicly available source code from platforms like GitHub. Not all this data is good, and agents being trained on bad code is a reality that comes with the nature of AI-assisted coding. Not only that, but bad actors have actually learned how to leverage these agents through what's known as a remote code execution (RCE) attack. The recent npm attack is a perfect example of this scenario, and this is a trend that's only expected to grow - making vibe coding even more precarious. Considering that 80% of AI-suggested dependencies contain risks. , every entrepreneur should be re-thinking their AI-assisted strategy before trying to scale their product. This is why developers acknowledge that we're at a turning point when it comes to AI-generated code. While manual detection is ideal to catch all of these vulnerabilities, even trained professionals can no longer keep pace. It becomes a scary realization to think that most vibe coders just don't know any better - they trust these outputs and build insecure apps without even knowing it. As bad actors grow more sophisticated and find new ways to achieve RCE, the stakes are going to grow for amateur vibe coders. Without financial resources to bounce back from a breach and technical staff to provide guidance, basing products entirely off AI-generated code is risky. Early-stage startups will learn the hard way that security cannot be an afterthought. Relying too heavily on vibe coding from the onset also means that products will not successfully scale beyond demos, technical debt may skyrocket if these apps scale fast, and also run the risk of falling apart. While some entrepreneurs may be tempted to push straight to production, investing early on in security guardrails has to be non-negotiable. This doesn't mean that you need to hire a team of developers, startups can still vibe code but the key is being aware of the risks and the guardrails that must first be put into place. Even if these innovators are knowledgeable enough to monitor for vulnerabilities, they are likely wasting a lot of time trying to pinpoint these risks and formulate the right course of action. On the other hand, when AI coding agents are equipped with security tools, the proportion of safe dependency recommendations jumps from roughly 20% to 57%. It's understandable that strapped startups may not be able to invest in outside help early on, but the cost of a data breach will far outweigh the cost of doing security right. Financials are also only the tip of the iceberg; breaches break down trust amongst customers- something that is especially critical for companies just starting out. Even the most established companies don't typically get a second chance after a major breach. Startups and innovators must consider seeking expert counsel if they want to create a truly safe and sustainable product and, more importantly, should do so before they release it to the public. Vibe coding presents many benefits for entrepreneurs, from less upfront capital, the ability to try out more ideas and overall help them bootstrap more easily. This doesn't come without a downside; while code generated by AI may work well for prototyping, it likely won't be able to scale without severely compromising security and performance. To capitalize on the power of AI-coding assistants, entrepreneurs need to invest in security early on or else suffer the consequences later down the road. We've featured the best encryption software.