Lovable Denies Data Leak, Blames 'Intentional Behavior' and HackerOne in Shifting Response

Vibe-coding platform Lovable is facing intense scrutiny after dismissing a critical security report that found anyone could create a free account and access other users' sensitive data, including credentials, chat history, and source code. The company's initial response framed the exposure as a result of 'intentional behavior' and 'unclear documentation,' a stance that security researchers immediately challenged as a mischaracterization of a clear vulnerability.

The situation escalated when Lovable shifted its narrative, publicly implicating its bug-bounty partner, HackerOne. The company suggested the platform's processes were at fault, effectively deflecting blame from its own security posture. This move has drawn criticism from the infosec community, viewing it as an attempt to discredit a valid finding and mishandle responsible disclosure, rather than address the core exposure.

The incident serves as a case study in flawed vulnerability management and corporate communication under pressure. Lovable's evolving story damages its credibility with both security researchers and its user base, who entrusted the platform with proprietary code and communications. The fallout raises significant questions about internal security practices and the risks of alienating the ethical hacking community essential for identifying such flaws.