Support

My scan is stuck or taking too long — what do I do?

URL scans typically complete in under 30 seconds. If a scan has been running for more than 2 minutes, refresh the page and try again. Some apps behind heavy bot-protection (Cloudflare, Akamai) may time out — email us and we can investigate.

I ran a paid scan but didn't get the full report — can I get a refund or replacement credit?

Yes. Email support@vibe-scan.app within 7 days of the scan with your scan ID (visible in the URL on the results page) and we will issue a replacement credit.

I don't own the app but want to report a vulnerability I found — can I use VibeScan?

VibeScan is for scanning apps you own or have explicit permission to test. For responsible disclosure of issues in third-party apps, contact the app owner directly. We do not process third-party vulnerability reports.

Why does VibeScan need me to confirm I own the app?

Scanning a URL sends HTTP requests to it. Doing this without authorization may violate the Computer Fraud and Abuse Act or similar laws in your jurisdiction. The checkbox is your confirmation that you have the right to run a security test on the target.

Can I use VibeScan via API or CLI?

Yes. The scan API is available at POST https://vibe-scan.app/api/scan with body {"type": "url", "payload": "https://your-app.com"}. It returns JSON with findings and severity counts. See our blog for a GitHub Actions example.

Does VibeScan work on apps not built with AI tools?

Yes. VibeScan checks for common web security issues that appear in any app — missing headers, exposed secrets, JWT vulnerabilities, CORS misconfiguration. It is most useful for AI-built apps because those have predictable failure modes, but it works on any deployed web app.