BoilerplateHub logo

BoilerplateHub

⚡ Perfect for Vibe Coding — Skip weeks of setup. Browse 100+ production-ready boilerplates.

Browse boilerplates →

Is Vibe Coding Bad? An Honest Answer From People Who Do It

Marcus Webb
6 min read 1,088 words

People asking this question have usually just seen both sides of the argument: a thread of founders shipping products in days, and a thread of engineers calling those products security disasters waiting to happen. Both threads are telling the truth. The honest answer to "is vibe coding bad" is that it depends entirely on two variables: what you are building and what happens to the code afterwards.

Let's take the criticisms one at a time and sort the real ones from the gatekeeping.

The Criticisms That Are Right

"Nobody understands the code." True by definition, vibe coding means not reading the output, and it is the root of every other problem. Software that nobody understands can still run fine for months. The cost arrives the day it breaks in a way the AI cannot fix from a description of the symptom, and someone has to do archaeology on a codebase with no author.

"The security problems are real." This is the strongest criticism and it deserves to be taken seriously rather than defensively. Security researchers auditing vibe-coded apps keep finding the same classes of holes: API keys exposed client-side, missing authorization checks on endpoints, injection vulnerabilities, auth flows that work in the demo and fail in the edge cases. The AI writes code that works; whether it is safe is a different property, and one you cannot see from the running app. We documented the recurring patterns in the hidden security risks of vibe-coded apps.

"It falls apart at scale." Mostly true. Session-by-session generation produces architectural drift: inconsistent patterns, duplicated logic, dependencies nobody chose deliberately. Small apps shrug this off. Growing apps feel it as every change starting to break something else.

Meme: two composed cartoon people labeled Talking about vibe coding, above the same two people looking exhausted with energy drinks, labeled Actually vibe coding

The Criticisms That Are Mostly Gatekeeping

"It's not real programming." The running software does not care. A founder who validates a business with a vibe-coded MVP got more value from programming than most side projects ever deliver. The craft argument matters for production systems; as a blanket dismissal it is just the latest verse of an old song that was previously sung about high-level languages, frameworks, and Stack Overflow.

"People will learn bad habits." Some will. Others are learning faster than any previous generation because they have an infinitely patient explainer attached to their build tool. The same tool that writes the code will explain it line by line if you ask. Whether someone learns is about curiosity, not the tool.

"AI code is always worse." The data does not support "always". For the repetitive majority of application code, reviewed AI output is competitive with mid-level human output. The quality gap concentrates in exactly the places the honest critics point to: security-critical, stateful, edge-case-heavy code.

So When Is Vibe Coding Actually Bad?

A simple rule covers nearly every case. Vibe coding is bad in proportion to the cost of invisible mistakes.

  • Personal tools, prototypes, demos, internal dashboards: invisible mistakes cost nothing. Vibe code freely. This is the use case the term was invented for.
  • A real product without payments or sensitive data: moderate. Vibe code it, but start forming opinions about the code, and follow some basic discipline.
  • Anything handling money, identity, or personal data: this is where unreviewed AI code is genuinely dangerous, and where the dismissive critics are simply right.

The Fix Is Boring and It Works

For that third category, the answer the indie community has converged on is not "learn to write auth by hand". It is: do not generate the dangerous parts at all. Start from a boilerplate where a human wrote, tested, and audited the auth, the billing, the email, and the deployment, and aim your vibe coding at the product features on top.

This single decision removes most of the legitimate criticism. The security-critical code has an author. The architecture has a spine that AI sessions cannot drift away from. And your AI tool works better anyway, because it extends working patterns instead of inventing its own. Compare what different kits cover out of the box: auth, Stripe billing, or the full compare hub.

If the stakes are high and you have budget, the other respectable answer is hiring experts outright: to audit what you generated, or to build the production version properly while you keep moving on the product side. We maintain a vetted, budget-ranked list in how to hire a company to build a custom AI product.

If you want the deeper comparison of the two philosophies, we wrote it up in vibe coding vs traditional coding.

The Verdict

Vibe coding is not bad. Unreviewed vibe-coded production systems handling other people's money and data are bad, and the people pointing that out are not gatekeeping, they are doing you a favor. Everything below that threshold is the largest expansion of who gets to build software in decades, and the criticism of it ages worse every month.

Build fast. Just know which 20% of your app deserves a human author, and buy that part instead of generating it.

Frequently Asked Questions

Is vibe coding bad for beginners?

No, it is arguably the best entry point to building software that has ever existed, provided you stay curious about what the code does. Ask the AI to explain what it wrote. Beginners who treat the output as a black box forever stay stuck at the level of luck; beginners who read along learn unusually fast.

Why do developers hate vibe coding?

A mix of legitimate concern and reflex. The legitimate part: unreviewed AI code in production has caused real security incidents, and experienced developers are the ones called to clean up. The reflex part: every tool that lowered the barrier to programming was initially dismissed by people who climbed the old barrier.

Can vibe coding cause security problems?

Yes, demonstrably. Common findings in vibe-coded apps include exposed API keys, missing access controls, and injection vulnerabilities. The mitigation most founders use is starting from a human-audited boilerplate for auth and payments so the riskiest code is never AI-generated in the first place.

Should I stop vibe coding?

If you are prototyping, learning, or building internal tools: no, keep going. If you are running AI-generated auth or payment code in production unreviewed: yes, stop, and replace that layer with audited code before it costs you. The dividing line is what an invisible mistake costs you.

Vibe code the product, not the plumbing

Auth, billing, and email are the parts AI gets subtly wrong. Start from a boilerplate where humans wrote and audited them, and aim your prompts at the features that make your product yours.

Browse boilerplates Kits with auth Kits with Stripe
Marcus Webb

Written by

Marcus Webb

Senior Developer & Technical Writer

Full-stack developer and indie hacker. Ships products fast using AI-assisted development. Writes about vibe coding and developer tools.

BoilerplateHub BoilerplateHub ⚡ Perfect for Vibe Coding

You have the idea. Now get the code.

Save weeks of setup. Browse production-ready boilerplates with auth, billing, and email already wired up.

Browse boilerplates

Comments

Leave a comment

0/2000