All Case Studies

    This is an illustrative scenario. Names, details, and quotes are fictional.

    Healthcare
    Vertical SaaS

    How A Niche Vertical SaaS secured their vertical saas

    Solo founder found patient data in logs of a Bolt-built clinic management app

    20
    Vulns Fixed
    2 months vs manual review
    Time Saved
    Daily automated scans
    Scan Frequency

    The challenge

    A solo founder with a nursing background built a small clinic management app with Bolt to help independent practitioners manage appointments and patient records. The app grew to 50 clinics through word of mouth. When a clinic asked for proof of security practices before renewing their annual contract, the founder realized they had never done any security testing. They suspected patient data might be leaking into application logs but had no way to verify.

    Vulnerabilities discovered

    VibeEval found 20 security issues across this vertical saas application.

    Patient Data in Application Logs

    critical
    1 found

    Missing Encryption at Rest

    critical
    1 found

    Broken Access Control on Patient Records

    critical
    1 found

    Session Fixation

    critical
    1 found

    API Authentication Bypass

    critical
    1 found

    Missing Authorization Checks

    high
    2 found

    Missing Audit Trail

    high
    2 found

    Weak Password Policy

    high
    1 found

    Insecure File Upload

    high
    2 found

    Missing Security Headers

    medium
    2 found

    Verbose Error Responses

    medium
    2 found

    Outdated Dependencies with Known CVEs

    medium
    2 found

    Missing Input Validation

    medium
    2 found

    The solution

    VibeEval confirmed that patient names, dates of birth, and medical record numbers were being written to application logs in plain text across 14 different code paths. It also found that the patient records endpoint used sequential numeric IDs without verifying the authenticated user had permission to view that record. The founder remediated all findings in six weeks and renewed the clinic contract.

    "I built this app because I saw clinics struggling with terrible software. VibeEval showed me patient data was leaking into logs from 14 different places. I never would have found all of them manually."
    Solo Founder
    A Niche Vertical SaaS

    Frequently asked questions

    How did VibeEval detect patient data in logs?

    VibeEval traced data flows from database queries and API responses through the application, identifying 14 code paths where patient names, dates of birth, and medical record numbers were passed to logging functions without redaction.

    Was the broken access control on patient records exploitable?

    Yes. The patient records endpoint used a sequential numeric ID without verifying the authenticated user had permission to view that record. Any logged-in practitioner could view another clinic's patient records by changing the ID in the URL.

    How did fixing these issues help the business?

    The founder used the VibeEval scan report as evidence of proactive security testing. The clinic renewed their contract, and the report became part of the sales materials for new clinic onboarding.

    How does the founder maintain security now?

    Daily VibeEval scans run automatically. Any code change that introduces a potential data exposure or weakens access controls is flagged before it reaches the main branch.

    Get similar results for your application

    Start scanning your application for vulnerabilities today. Free trial available.

    Paste a deployed URL to start a scan.
    Start Free Trial More Case Studies