{"id":60513,"date":"2026-04-21T02:50:18","date_gmt":"2026-04-21T02:50:18","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/"},"modified":"2026-04-21T02:50:18","modified_gmt":"2026-04-21T02:50:18","slug":"vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/","title":{"rendered":"Vibe coding upstart Lovable denies data leak, cites &#8216;intentional behavior,&#8217; then throws HackerOne under the bus"},"content":{"rendered":"<p><span class=\"label\">UPDATED<\/span> Vibe-coding platform Lovable is pooh-poohing a researcher\u2019s finding that anyone could open a free account on the service and read other users&#8217; sensitive info, including credentials, chat history, and source code. However, the company\u2019s story keeps changing: First it attributed the publicly exposed info to &#8220;intentional behavior&#8221; and &#8220;unclear documentation,&#8221; then threw bug-bounty service HackerOne under the bus.<\/p>\n<p>The drama appears to be the latest example of an AI firm, in this case a startup that <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/lovable.dev\/blog\/series-b\">claims a $6.6 billion valuation<\/a>, <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/04\/19\/ai_vendors_response_to_security\/\">shirking responsibility for security flaws<\/a> in its products. Companies including Uber, Zendesk, and Deutsche Telekom all use Lovable&#8217;s vibe coding AI tool, according to its latest funding announcement.<\/p>\n<p>&#8220;Lovable has a mass data breach affecting every project created before November 2025,&#8221; a researcher who goes by @weezerOSINT on X <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/weezerOSINT\/status\/2046170666131669027\">posted<\/a> on Monday. &#8220;I made a Lovable account today and was able to access another user&#8217;s source code, database credentials, AI chat histories, and customer data are all readable by any free account.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The researcher said they reported the flaw 48 days ago, and that HackerOne labeled it a &#8220;duplicate submission,&#8221; and left it open. The researcher then sent a <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/weezerOSINT\/status\/2046171798992199974\/photo\/1\">bug report<\/a> to HackerOne, and <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/weezerOSINT\/status\/2046170666131669027\/photo\/2\">screen shots<\/a> show a March 3 submission date. Subsequent posts show the <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/weezerOSINT\/status\/2046170671110402443\">AI leaking secrets<\/a> and personal data in chats.<\/p>\n<h3 class=\"crosshead\">BOLA bug<\/h3>\n<p>The leak stems from a <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0xa1-broken-object-level-authorization\">Broken Object Level Authorization (BOLA) vulnerability<\/a>, which occurs when an API exposes endpoints that allow users to access or modify sensitive data belonging to other users due to missing ownership validation.<\/p>\n<p>According to the bug hunter, no offensive hacking is needed to trigger the bug. They say they made five API calls from a free account and gained access to another user&#8217;s profile, their public projects, and source code, and then extracted database credentials from the source code.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>In X posts later on Monday the AI coding company <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/Lovable\/status\/2046270357674299623\">first said<\/a> it was &#8220;made aware of concerns regarding the visibility of chat messages and code on Lovable projects with public visibility settings,&#8221; and added: &#8220;To be clear: We did not suffer a data breach.&#8221;<\/p>\n<p>The company then went on to blame its documentation \u2013 specifically &#8220;our documentation of what &#8216;public&#8217; implies was unclear, and that&#8217;s a failure on us.&#8221; It also noted that chat messages for public projects &#8220;used to be visible,&#8221; but that is no longer the case.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>And then it offered this head-scratching message about intentionally making prompts and source code visible:<\/p>\n<p>So it&#8217;s by design \u2013 unless you&#8217;re an enterprise customer, that is. For this group of users, &#8220;being able to set visibility to public for new projects has been disabled since May 25, 2025.&#8221;<\/p>\n<h3 class=\"crosshead\">Lovable&#8217;s oops moment<\/h3>\n<p>Later on Monday, Lovable <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/Lovable\/status\/2046301006795870346\">issued a new statement<\/a> on X, apologizing that its earlier post &#8220;didn&#8217;t properly address our mistake,&#8221; explaining how it got into this public-versus-private-project mess in the first place, and then blaming its bug bounty partner, HackerOne, for its failure to fix the flaw.<\/p>\n<p>Users, the startup said, can select a &#8220;public&#8221; or &#8220;private&#8221; option for projects.<\/p>\n<p>&#8220;A public project meant the entire project was public, both chat and code,&#8221; Lovable explained. &#8220;Over time, we realized this was confusing. Many users thought &#8216;public&#8217; just meant others could see their published app, not the chat of an unpublished project. That&#8217;s reasonable.&#8221;<\/p>\n<p>Early free-tier users didn&#8217;t get an option to create private projects. They had to upgrade to a paid plan if they wanted to do that \u2013 until May 2025, when Lovable started letting free-tier users make private projects, and disabled the public setting for enterprise customers altogether.<\/p>\n<p>In December 2025, the company switched to private by default across all tiers.<\/p>\n<p>&#8220;We also retroactively patched our API so public project chats couldn&#8217;t be accessed, no matter what,&#8221; according to the company\u2019s mea culpa. &#8220;Unfortunately, in February, while unifying permissions in our backend, we accidentally re-enabled access to chats on public projects.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>This was the security issue that WeezerOSINT reported Lovable via HackerOne. Chaos ensued.<\/p>\n<p>&#8220;Unfortunately, the reports were closed without escalation because our HackerOne partners thought that seeing public projects&#8217; chats was the intended behaviour,&#8221; Lovable wrote. &#8220;Upon learning this, we immediately reverted the change to make all public projects&#8217; chats private again.&#8221;<\/p>\n<p>HackerOne declined to comment initially, pending further review. &#8220;Given the nature of customer programs and the need to review details carefully, we&#8217;re not able to comment further right now,\u201d the company told <i>The Register<\/i>. \u201cWe want to ensure anything we share is accurate and responsible. We&#8217;ll follow up once we&#8217;ve completed that review.&#8221;<\/p>\n<p>Lovable noted it appreciates the researchers who uncovered this mess. &#8220;We understand that pointing to documentation issues alone was not enough here,&#8221; it said. &#8220;We&#8217;ll do better.&#8221; \u00ae<\/p>\n<h3 class=\"crosshead\">Updated at 02:45 UTC, April 21<\/h3>\n<p>A Loveable spokesperson has been in touch, and told <em>The Register<\/em> that the company wasn\u2019t aware of the issue until Monday, and \u201cwe addressed it as soon as we learned about it.\u201d<\/p>\n<p>\u201cThis was originally reported through our vulnerability disclosure program (via HackerOne),\u201d the spokesperson added. \u201cUnfortunately, the reports were closed without escalation to our internal team because our HackerOne partners thought that seeing public projects\u2019 chats was the intended behavior, as was the case historically.\u201d<\/p>\n<p>The spokesperson clarified that any user could have changed their project from public to private at any time. \u201c And chats from public projects are no longer visible &#8211; for anyone,\u201d they added.<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2026\/04\/20\/lovable_denies_data_leak\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A lesson in how not to respond to vulnerability reports UPDATED\u00a0 Vibe-coding platform Lovable is pooh-poohing a researcher\u2019s finding that anyone could open a free account on the service and read other users&#8217; sensitive info, including credentials, chat history, and source code. However, the company\u2019s story keeps changing: First it attributed the publicly exposed info to &#8220;intentional behavior&#8221; and &#8220;unclear documentation,&#8221; then threw bug-bounty service HackerOne under the bus.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-60513","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Vibe coding upstart Lovable denies data leak, cites &#039;intentional behavior,&#039; then throws HackerOne under the bus 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vibe coding upstart Lovable denies data leak, cites &#039;intentional behavior,&#039; then throws HackerOne under the bus 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-21T02:50:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Vibe coding upstart Lovable denies data leak, cites &#8216;intentional behavior,&#8217; then throws HackerOne under the bus\",\"datePublished\":\"2026-04-21T02:50:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/\"},\"wordCount\":917,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/\",\"name\":\"Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2026-04-21T02:50:18+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vibe coding upstart Lovable denies data leak, cites &#8216;intentional behavior,&#8217; then throws HackerOne under the bus\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/","og_locale":"en_US","og_type":"article","og_title":"Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-21T02:50:18+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Vibe coding upstart Lovable denies data leak, cites &#8216;intentional behavior,&#8217; then throws HackerOne under the bus","datePublished":"2026-04-21T02:50:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/"},"wordCount":917,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/","url":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/","name":"Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2026-04-21T02:50:18+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aecAVFOXIFMTbQIHTxb-wgAAAkY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/vibe-coding-upstart-lovable-denies-data-leak-cites-intentional-behavior-then-throws-hackerone-under-the-bus\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Vibe coding upstart Lovable denies data leak, cites &#8216;intentional behavior,&#8217; then throws HackerOne under the bus"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60513"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60513\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}