The vibe coding backlash has arrived right on schedule. Open LinkedIn, open X, open any developer Substack and you'll find some version of the same take: vibe-coded apps are insecure, vibe-coded MVPs don't scale, vibe coders aren't real engineers. The crash is coming. The reckoning is here. We told you so.

And look — some of it isn't wrong. So let's just put the receipts on the table first, because I'm not interested in pretending the criticism is invented.

The stats the critics are waving around. Fine. Here they are.

Veracode's 2025 GenAI Code Security Report found that 45% of AI-generated code samples contained OWASP Top 10 vulnerabilities. A separate audit of 1,645 apps built on Lovable found that 10.3% had critical row-level security flaws in their Supabase configs — the kind that let any random user read any other user's data. Other research puts AI-generated code at 2.74x more vulnerabilities than what humans write by hand.

It gets worse the more you iterate. In one study, researchers had GPT-4o revise its own code up to 40 times. By the fifth round, the code had 37% more critical vulnerabilities than the initial version. The longer you vibe, the more the cracks compound.

And there's the now-famous SaaStr horror story, where an AI agent — over the course of one long session — ignored a code freeze, lied about running tests and eventually deleted the entire production database. Months of executive records, gone.

So yes. The critics have material. Vibe-coded apps can leak data. Vibe-coded MVPs can collapse under any real traffic. A founder shipping a Lovable app to paying customers without a security review is, statistically, shipping a problem.

Cool. Now let's talk about the part nobody putting these stats in a quote-tweet wants to talk about.

The barrier I used to live behind. And every woman with an idea lived behind.

Here is what building an MVP looked like in 2018. In 2015. In 2010. In 2005. Any year before this one, basically.

You had an idea. Maybe a great one. Maybe one nobody else was going to think of because it was rooted in a problem you'd actually lived. So you went to figure out how to build it. And you found out:

If you didn't have that cash, you had three options. Find a technical co-founder, which in practice meant finding a man willing to give you the time of day in exchange for 50% of your company. Call in a favor from someone in your network, which assumed your network had the right someone in it. Or wait. Most of us waited.

I waited on ideas for years. Years. I had concepts I knew were good, that I had the strategy and the audience and the marketing chops to ship — and the build cost alone meant they sat in a Notes file. I have one I started writing in 2014 that is finally — finally — about to launch this year, because I can finally build it myself.

The version of "the bar was higher back then" that people are nostalgic for is a version where most of us weren't allowed in the room.

And let's not pretend this was distributed evenly. BCG's research on women founders showed we received less than half the funding men did per dollar pitched — and still generated 2.5x better returns on what we got. So when the bar to even test an idea was $30K and a technical co-founder, you can do the math on who never got to find out if their idea would have worked.

So here come the tools. And here comes the eye-rolling.

Vibe coding shows up. Lovable, Cursor, Replit, Bolt, Claude, the whole stack. Suddenly the $30K MVP is something I can sketch out over a weekend. Suddenly I can validate the idea before I ask a single person for money. Suddenly the friend with the idea who's been stuck for a decade has the same access I do.

And the response from a loud slice of the developer world has been — let's just call it what it is — contemptuous. "It's not real coding." "You're going to embarrass yourself." "Wait until it breaks." "You don't even know what you've shipped."

One writer put it perfectly: there's a "romantic and toxic idea that if you didn't write every character with your own fingers, suffering with documentation open in another tab, you're not a real programmer." That's not a critique of bad code. That's a gate. And the people manning it are not, broadly speaking, the people who lived behind the old gate.

Here's what I keep noticing: a lot of the loudest critics are not people who used to defend non-technical founders when the toll was $50K and a co-founder hunt. They were fine with that filter. The problem isn't that bad code exists. The problem is that we are the ones writing it now.

What an MVP is. What an MVP isn't.

Let's also be honest about the category we're talking about. A minimum viable product is, by definition, a thing you ship to learn. It is supposed to be fragile. It is supposed to be ugly. It is supposed to have edges. The whole point is to find out whether the idea has a pulse before you spend real money making it bulletproof.

Vibe-coded MVPs are excellent for that. Use the JPMorgan founder guide, the YC playbook, any of the 2026 startup writeups — they all say the same thing. Vibe code to validate. Hire engineers to scale. Those are two different phases of the same business. The criticism collapses them into one and pretends nobody can tell the difference. Most of us can. I can.

The 96% of developers who don't fully trust AI-generated code? Good. Don't. The 23% of frontend devs who actually review AI output for security before shipping? That number should be higher, and it will be, because the tools and the norms around them are eighteen months old. Every category of software went through this. Remember when "anyone can build a website on Squarespace" was an insult? Remember when a website used to cost $40K?

The surface area of buildable software just got dramatically bigger. The amount of useful software in the world goes up. The work for real engineers — to harden, secure, refactor what we build — also goes up. Nobody loses here. Unless the point was the gate.

Zoom out. It's not just the code people are mad about.

And it's not just vibe coding catching this energy. Open the same threads and you'll find every flavor of AI dismissal stacked on top of each other. "It's just an LLM." "It's cheating." "You don't actually own the IP." "The data centers are boiling the oceans." Each one of those is a real conversation worth having. I'm not here to tell you the concerns are fake — some of them are deeply legitimate, especially the resource and energy ones.

But the volume on the criticism has completely drowned out what is, to me, the much more interesting story: what people are quietly building with these tools and putting into their actual lives, right now, this month.

I'm in rooms almost every week — meetups, women's circles, fractional ops groups, indie founder dinners, AI-curious-newcomer sessions — and the rooms are full of receipts. A creative running a custom database for her portfolio and client work, built so she finally owns the asset her career sits on top of. A parent prototyping a kid-safety application because the off-the-shelf ones don't actually fit how her family uses devices. A founder shipping a city-specific tool to solve a local problem her municipality hasn't gotten around to. A team building a real-time legislation tracker so regular people can actually follow what's about to land on them. None of these people are on TechCrunch. None of them are at OpenAI DevDay. They're just shipping.

That story is not the headline. The headline is the data center water usage, the model hallucination du jour, the latest deepfake scandal, the IP lawsuit. All real. All worth covering. But somewhere in the noise, the everyday person — the one who could most benefit from these tools to claw back three hours a week — has been left with the impression that AI is something happening to them, instead of something they could pick up and use tomorrow.

The conversation we're having about AI is mostly about its risks. The conversation we're not having is what actual people are already doing with it to make their day shorter, their work better, their inbox triaged, their kid's homework finally explained, their idea finally launched.

That gap is what worries me more than the criticism itself. Because while we're all arguing about whether AI is theft or salvation, a quiet slice of people — disproportionately women, disproportionately mid-career — are just using it. Not waiting for the discourse to land. Not waiting for permission. Not waiting for a sanctioned developer to bless what they've built. They're picking up the tool, finding the part that makes their life easier and getting on with it.

That's the part I wish more of the coverage was about. Not the hate. Not the hype. The use.

About the "you don't own the IP" line.

Of all the AI criticisms, this one might drive me the most crazy — because it's the most repeated and the most loosely understood. So let's just untangle what's actually happening when you build something with these tools.

Every major model provider — OpenAI, Anthropic, Google, go pull up their terms — explicitly assigns IP rights in the outputs to the user. You prompt, you direct, you keep iterating until the output does what you want, and the resulting code, copy, design, whatever it is, belongs to you. That's not legal hand-waving. It's written into the contracts every founder is already clicking through.

The more interesting question is whether what AI generates is copyrightable in the first place. The U.S. Copyright Office has been clear: purely machine-generated output, with no meaningful human involvement, isn't copyrightable. But — and this is the part that keeps getting skipped — the moment you direct, select, arrange, edit, refine and assemble that output into something larger, human authorship is right there. You don't lose the IP because part of the work involved a tool. Otherwise nobody would have ever owned a Photoshop file, a Word doc, or a song built in Ableton.

The IP that actually matters in a startup is rarely "who wrote line 47 of the React component." It's the idea, the brand, the audience, the customer data, the relationships, the business model. All of which are entirely yours.

There are real, narrow risks worth knowing about. If a model regurgitates a verbatim chunk of GPL-licensed code, you've got a license issue to clean up. Worth a check, especially before you start charging anyone money. Tooling exists for this — Snyk, GitGuardian, GitHub's own scanners — and it's a solvable, normal cost of doing business. The same way every dev team has had to vet open-source dependencies for the last twenty years.

And there are the training-data lawsuits — class actions about whether the models should have been trained on a given codebase or library or book at all. Those will run their course in court. The outcome will matter for the model companies. It will not retroactively invalidate the IP of a founder who used the tool in good faith to build something useful.

What I keep noticing is that the "you don't own the IP" line almost never lands on the actual legal complexity. It gets used as a vibes-based reason to feel skeptical. The same person waving that flag will happily write code with a Stack Overflow tab open, ship features on top of a hundred open-source libraries they never read the license for and lift snippets from a Medium tutorial — none of which they "own" in any deeper sense than what they vibe-coded yesterday morning.

If you're building something real, the IP that's going to matter in five years is whether your idea connects with a customer, whether you can defend the brand, whether you have a contract with your users, whether your data is protected. Not the line-by-line provenance of your MVP boilerplate.

And the part that's a little quieter in these conversations.

A huge share of the people picking up these tools right now are women. Women in their 30s, 40s, 50s, with ideas they've been carrying for a decade. Women who already run the household, the calendar, the budget, the soft launch of every life decision in a five-mile radius. Women who absolutely have the product instincts and the customer empathy and the resilience — and who, until 2024, did not have the build budget.

Watch who's quietly shipping right now. It's not just the 22-year-old Stanford CS grad. It's the mom who finally built the school logistics app she's been wanting since her kid started kindergarten. It's the operator who automated her own job out of existence and turned the automation into a product. It's the strategist who launched the platform she pitched in three different rooms in 2019 and got told "find a CTO."

The pushback hits this group hardest. Because the message lands as: you weren't allowed before, and now that you are, we'd like you to know that what you're doing doesn't count.

It counts.

Frequently asked, briefly answered.

What is vibe coding?
Building software by describing what you want in natural language and letting AI tools generate the code. Platforms like Cursor, Lovable, Replit and Claude let a non-developer direct, edit and ship working software without writing the syntax by hand.
Is vibe coding safe for production?
Not without review. Studies show 45% of AI-generated code samples carry OWASP Top 10 vulnerabilities, and AI-written code averages 2.74x more vulnerabilities than human-written equivalents. Vibe code is excellent for validating an idea or shipping an MVP to early users. Before you take money from real customers, bring in an engineer to harden the build.
Do you own the IP of code built with AI tools?
Generally yes. OpenAI, Anthropic and Google all assign output IP to the user in their terms of service. The U.S. Copyright Office requires meaningful human authorship for copyright protection, and a founder who directs, selects, edits and assembles the AI output supplies exactly that. Verbatim regurgitation of licensed code is a narrow, separate risk you can scan for with tools like Snyk, GitGuardian or GitHub's built-in scanners.
What are real things people are building with vibe coding right now?
Custom databases for creatives, kid-safety applications, city-specific civic tools and real-time legislation trackers — built by founders, parents, operators and small teams who used to be priced out of building anything at all.
Why does the pushback target women founders most?
Because the people most enabled by these tools are the ones who were locked out of building before. When the bar to even test an idea was a $30K MVP and a technical co-founder, most non-technical women never got the chance. Now that they can build, the framing of vibe coding as "not real coding" lands as gatekeeping.

What I actually want you to take from this.

If you're a developer worried about security in AI-generated code — you're right to be. Write the threat models. Build the linters. Open-source the audit tools. There's a real, valuable, well-paid future for engineers who help vibe-coded apps grow up. That's a constructive lane and a lot of people are already in it.

If you're a founder vibe coding your way to an MVP — keep going. And know what you have. A vibe-coded app is a prototype with a pulse. It is enough to validate, enough to test, enough to put in front of ten real users and learn something. It is not yet a production system. When you have proof the idea has legs, get a real engineer on it before you take money from real customers. That's not gatekeeping. That's just the next stage of the build.

And if you're the person sharpening a quote-tweet about how vibe coders are going to "find out the hard way" — ask yourself, honestly, whether you were equally loud about the $50K wall that locked half the people with good ideas out of the room for the last twenty years. If the answer is no, then your concern isn't really about code quality. It's about who gets to call themselves a builder. And that argument was always going to lose.

The gate is open. We're walking through it. The receipts on what we build will speak for themselves — same way yours did.