This is an illustrative scenario. Names, details, and quotes are fictional.
How A Subscription Billing Tool secured their billing saas
Two-person team found a transaction replay bug in their Cursor-built billing tool
The challenge
A two-person team built a subscription billing tool with Cursor for indie SaaS founders who wanted an alternative to Stripe Billing's complexity. The app managed recurring payments, invoicing, and revenue analytics for 150 SaaS products. When a customer reported duplicate charges on their subscribers, the co-founders realized they had a transaction integrity problem but no security expertise to diagnose it.
Vulnerabilities discovered
VibeEval found 15 security issues across this billing saas application.
Transaction Replay Attack
IDOR on Account Endpoints
Credential Stuffing Vulnerability
Insecure Token Storage
Missing Transaction Signing
Weak API Key Generation
Missing Financial Operation Logging
Missing Rate Limiting on Transfers
Insecure Webhook Verification
Missing TLS Certificate Pinning
Information Disclosure in Error Messages
The solution
VibeEval found that the payment processing endpoint lacked idempotency keys, meaning identical payment requests could be processed multiple times. It also discovered that account endpoints used sequential IDs, letting any authenticated user view other customers billing data. The team fixed all critical issues in one sprint and integrated VibeEval into their PR workflow.
"Our customers trust us with their billing. The transaction replay bug could have caused double-charges across 150 SaaS products. VibeEval found it in the first scan. We run it on every PR now."
Frequently asked questions
What was the transaction replay vulnerability?
The payment processing endpoint lacked idempotency keys, meaning an identical payment request could be submitted multiple times and each would be processed as a separate transaction. An attacker could replay a captured request to cause duplicate charges.
How did VibeEval help a two-person team?
VibeEval organized each vulnerability by severity and business impact. The prioritized remediation plan let the two co-founders focus on the most critical fixes first without needing a dedicated security hire.
How does VibeEval handle financial transaction logic?
VibeEval traces the full lifecycle of financial operations including authorization, processing, and reconciliation. It identifies common fintech vulnerabilities like race conditions, missing idempotency, and broken transaction integrity.
How does VibeEval compare to hiring a security consultant?
VibeEval is an automated scanner, not a penetration test. It catches code-level vulnerabilities instantly and continuously. Teams often use VibeEval for ongoing scanning and supplement with periodic manual reviews as they grow.
Get similar results for your application
Start scanning your application for vulnerabilities today. Free trial available.