What a $1,000 Code Review Actually Finds in Lovable and Claude Code Apps

A post on r/vibecoding went viral this week. Someone paid a senior dev $1,000 on Upwork to review their vibe-coded app. The verdict: "good code, just needs a few security concerns addressed." That's the outcome for almost every vibe-coded app I've looked at. The code works. The UI is fine. The security is broken. Here's what actually shows up in these reviews. The Same 5 Issues, Every Time 1. Supabase RLS policies that don't exist or don't work Lovable sets up Supabase for you. It creates tables, writes queries, handles auth. What it doesn't do reliably is lock down who can read what. Open your Supabase dashboard right now. Go to Authentication > Policies. If you see tables with no policies, that table is readable by anyone with your Supabase URL and anon key. Both are in your client bundle. Anyone can open devtools and find them. The fix is row-level security policies on every table. But the AI generates policies that look right and aren't. A common one: a policy that checks auth.uid(