Responsible use
Only scan apps you own or have permission to test.
VibeCheck is built for builders who want a fast pre-judging or pre-launch sanity check. It checks public pages, client bundles, source-map references, exposed infrastructure paths, browser security headers, bounded CORS preflights on referenced API routes, public API response-shape metadata, public schema/debug routes, Firebase web config, Next.js hydration payloads, React Server Component payloads, AI-era secret patterns, and owner-authorized Supabase read/storage probes while avoiding sensitive target content.
Allowed use
- Scan your own deployed app.
- Scan an app when the owner has explicitly asked you to do so.
- Use gated Supabase probes only when you can truthfully check the ownership box: you own the target or have explicit authorization from the owner.
- Understand that Supabase probes use bounded HEAD/count-style requests and storage bucket metadata checks. They do not fetch database rows or object contents.
- Treat Firebase config and public schema findings as production self-checks unless the report shows stronger evidence of exposed sensitive data. These map to firebase_config, debug_schema_surface, and client_data_exposure style findings.
Not allowed
- Do not scan apps you do not own or have permission to test.
- Do not use VibeCheck to exploit, mutate, brute force, bypass auth, or harvest data.
- Do not submit private-network, localhost, metadata, file, or non-http targets.
Contact
For removal requests, security concerns, or responsible disclosure coordination, contactpaawandesai.dev@gmail.com.