Modern products are increasingly built with AI, which accelerates development but also introduces new classes of vulnerabilities, particularly around logic flaws, multi-tenant access, and agent behavior. Traditional security approaches struggle to keep pace with this speed and complexity.
To address this, today, companies often rely on platforms like HackerOne to engage external security researchers. This helps uncover real-world attack scenarios, extend security beyond internal teams, and increase transparency and trust.
One of the companies following this model is Lovable – an AI-powered platform that enables users to build applications through text or voice. With nearly 8 million users, a $6.6 billion valuation, and over 25 million projects created on the platform (with 100,000+ new ones added every day), Lovable has become one of the fastest-growing AI startups in the world. At this scale, security is not optional – it is a core product requirement.
Lovable's Vulnerability Disclosure Program on HackerOne reflects this reality: the program covers the platform broadly and prioritizes high-impact issues such as access control, multi-tenant authorization, and AI-specific exploits, while filtering out low-signal findings without practical impact. This indicates a focus on meaningful security validation rather than formal compliance.
Naturally, we couldn't resist – our AI agents took a close look at Lovable's Infrastructure. During testing, they identified a vulnerability that met the program's criteria: it was reproducible, had clear security impact, and demonstrated a realistic attack path. The report was accepted and subsequently remediated by the Lovable team, demonstrating their commitment to working with the security community.
Key insights
What this means for teams building on AI-assisted stacks – and if your team is building with Claude Sonnet, OpenAI Codex, or Opus alongside Supabase, the following is directly relevant for you too.
Well, first, no one is perfect, including AI agents building code. While AI-driven development helps to eliminate many typical problems caused by human factors, teams using AI for development should not assume that the result is flawless. This is reflected even in the changes to the OWASP Top Vulnerabilities, which have shifted significantly due to the widespread adoption of AI in software development. And we want to demonstrate this through one very typical scenario.
AI coding assistants are optimized for fast and visible results. When generating Supabase applications, models frequently deprioritize Row Level Security (RLS) or disable it entirely because strict RLS policies increase the likelihood of demo failures. A working demo takes priority over a secure one.
The result: applications that appear production-ready but contain a critical vulnerability allowing any external party to exfiltrate your entire database with a single API request – no exploit required. In some cases, unauthorized data modification is equally straightforward. Phone numbers, documents, internal records, user data can be fully exposed.
Second, however, not every company has the resources or maturity to operate programs like HackerOne. Meanwhile, attackers do not act selectively – vulnerabilities are discovered and exploited at scale through automation. This makes security a fundamental part of the product development process, not a later-stage consideration.
What we recommend you do before your next deployment:
- Explicitly instruct your model to generate RLS policies for every table, scoped to your organization and role structure
- Run the Supabase Advisor (Dashboard → Database → Advisors) to surface existing policy gaps
- Before any production release, validate your security posture with a professional or AI-assisted pentest.
Third, there is finally good news.
We are proud to announce that we have launched our AI Pentest, built on the same methodology used to identify the vulnerability in Lovable. The approach draws on techniques used by elite ethical hackers in GovTech and MilTech, and is designed for real-world conditions, including the detection of AI-generated security flaws such as exposed access controls, insecure configurations, and authorization vulnerabilities that are increasingly common in AI-assisted development.
And because our mission is to make cybersecurity accessible, AI Pentest is designed to be cost-efficient without compromising depth or quality. Pricing starts at $1,000. You get the results in 4 days. No need to wait. No compromises.
The output is not just a report – it is a practical foundation for reducing real-world risk. Fast to start using, aligned with real-world attack conditions, and easily integrated into development workflows.
Get AI Pentest / Book a discovery call with A42
