Vibe Coding Is Either the Best Thing to Happen to Developers or a Slow-Motion Security Disaster.

Vibe Coding Is Either the Best Thing to Happen to Developers or a Slow-Motion Security Disaster. The Data Says Both

74% of developers report productivity gains. 45% of the code they ship contains security vulnerabilities. Welcome to the defining tension of software development in 2026

What if the tool that makes you feel most productive is also the one quietly filling your codebase with vulnerabilities you will never find on your own?

That is not a hypothetical. That is what the data from 2025 is saying, and most of the discourse is still refusing to hold both truths at the same time.

On February 2, 2025, Andrej Karpathy — co-founder of OpenAI and former AI lead at Tesla — posted something on X that would become the most talked-about idea in software development for the next twelve months. He described a new kind of coding where you “fully give in to the vibes, embrace exponentials, and forget that the code even exists.” He called it vibe coding.

Collins English Dictionary named it Word of the Year for 2025. Merriam-Webster listed it as a “slang and trending” expression by March 2025. It is not a niche term anymore. It is the dominant conversation in tech, and the debate it has sparked is far more consequential than the label suggests.

Vibe coding is this: you describe what you want to build in plain English, a large language model generates the code, you review the result — or in true vibe coding fashion, you don’t review it at all — and you ship. The tools enabling this, Cursor, GitHub Copilot, Windsurf, Claude Code, Replit Agent, have proliferated faster than almost any previous technology shift in software development history. According to secondtalent.com’s industry analysis, 92 percent of U.S. developers now use AI coding tools daily. Forty-one percent of all global code written in 2024 was AI-generated, representing 256 billion lines. Among Y Combinator’s Winter 2025 cohort, 25 percent of startups reported codebases that were 95 percent AI-generated.

The productivity numbers are real. The security numbers are terrifying. And the industry is only beginning to reckon with what happens when both are true at the same time.

What Actually Happened

The story of vibe coding in 2025 is essentially the story of a technology going from experimental workflow to mainstream practice faster than governance structures could adapt.

When Karpathy coined the term, he was describing his own development process for personal prototypes. He would describe goals to an AI, receive code, provide feedback, and iterate — “I just see stuff, say stuff, run stuff, and copy-paste stuff, and it mostly works,” he said. For prototyping, it was genuinely transformative. A Minimum Viable Product that once took three months and $50,000 could be built, tested, and deployed over a long weekend for the cost of an API subscription.

The productivity data accumulated quickly. According to secondtalent.com, 74 percent of developers report increased productivity when using vibe coding approaches. IBM reported that internal tools built with vibe coding techniques reduced development time by 60 percent for enterprise applications. Vendor studies from GitHub, Google, and Microsoft found developers completing tasks 20 to 55 percent faster.

But by mid-2025, a different set of data was starting to emerge. In July 2025, METR — an organization that evaluates frontier AI models — ran a randomized controlled trial with experienced open-source developers. As documented on wikipedia.org’s vibe coding entry and confirmed by multiple independent sources, they found that experienced developers were 19 percent slower when using AI coding tools on familiar repositories, despite predicting they would be 24 percent faster and still believing afterward that they had been faster. The productivity gain they felt was not the productivity gain they experienced.

Then the security data arrived.

Why This Time Is Different

The defining tension of vibe coding is captured in a single statistic from the Veracode 2025 GenAI Code Security Report, cited across multiple independent analyses including contextstudios.ai and baytechconsulting.com: 45 percent of AI-generated code introduces security vulnerabilities. Not in edge cases. Not in stress tests. In normal, everyday code generation across 100 leading large language models and 80 distinct coding tasks.

The breakdown from CodeRabbit’s analysis of over 10 million pull requests makes the picture more specific. AI co-authored code showed 2.74 times higher rates of security vulnerabilities. Business logic bugs were 2.25 times more common. Missing error handling occurred 1.97 times more frequently. Null reference risks were 2.27 times higher. A December 2025 security assessment by Tenzai, comparing five leading vibe coding platforms — Claude Code, OpenAI Codex, Cursor, Replit, and Devin — found 69 vulnerabilities across 15 test applications, several rated critical.

What makes this structurally different from previous code quality concerns is the nature of who is now writing production code. As documented on samuelodekunle.medium.com in a February 2026 analysis, “shadow development” has emerged as a new category of risk. Non-technical users — marketing managers, finance analysts, founders with no engineering background — are now building production applications using vibe coding tools. They have Cursor and a deadline. They have never heard of OWASP. They don’t know what prepared statements are. And the app works when they test it on their laptop.

The vulnerabilities in these applications are not sophisticated. According to the analysis on samuelodekunle.medium.com, they are embarrassingly basic: hardcoded credentials, open Firebase instances left with default settings, no authentication middleware on admin API routes. The Tea App breach of July 2025 — which exposed approximately 72,000 images including 13,000 government ID photos — was traced back not to a sophisticated attack but to a Firebase storage system left completely open with default settings. The company was, in the language researchers now use, a vibe coding casualty.

The Outlier: Who Is Actually Benefiting

The productivity gains from vibe coding are not evenly distributed, and understanding who benefits most reveals where the real value lies.

According to secondtalent.com’s analysis, senior developers with 10 or more years of experience report 81 percent productivity gains from vibe coding approaches. They use AI to handle routine tasks while maintaining focus on architecture and judgment. Junior developers report lower gains and higher rates of debugging time. The data also shows that 63 percent of developers have spent more time debugging AI-generated code than they would have spent writing the original code themselves — at least once.

The outlier winner is the category that Techie Fellow’s Medium analysis describes as “Orchestrators”: developers who have stopped competing with AI at the implementation layer and instead treat AI as a fleet to be directed. In this model, the human role centers on defining intent, structuring context, evaluating output, and catching the failure modes that AI reliably misses. The fastest typists are being replaced. The best decision-makers are being promoted to what the analysis calls “Architects of Intent.”

The startup ecosystem shows this most clearly. Y Combinator’s Winter 2025 cohort is building faster than any previous generation. But the founders who are building sustainably are the ones who understand enough about what is being generated to know when the vibe has gone wrong.

The Misread Story

The dominant narrative around vibe coding in 2025 was a binary: either AI is revolutionizing development and productivity is soaring, or vibe coding is dangerous and should be avoided. Both camps had data to support their position. Both camps were reading incomplete pictures.

The headline said: vibe coding makes everyone a developer. The reality is: vibe coding makes everyone capable of shipping code, which is not the same thing. The gap between code that works in a demo and code that is secure, maintainable, and reliable in production has never been larger. As Kristin Darrow wrote in her February 2026 state of vibe coding analysis at kristindarrow.com, “The defining tension of 2026 is whether improved AI coding models and tooling can close the gap between software that works and software that is secure, maintainable, and reliable.”

The researchers who studied METR’s findings captured something important: experienced developers were not just slower when using AI tools — they were wrong about whether they were slower. This is not a small finding. It means that developer intuition about AI-assisted productivity is systematically miscalibrated in some contexts. The tools feel fast. The results are sometimes not.

The Bigger Shift

The most underreported story inside the vibe coding debate is a January 2026 economics paper titled “Vibe Coding Kills Open Source,” authored by researchers from Central European University and the Kiel Institute for the World Economy, covered by dataconomy.com. The paper argues that vibe coding is quietly eroding the open-source software ecosystem in a way that has no obvious fix.

The mechanism is this: vibe coding agents assemble applications by selecting and integrating open-source components, often without users ever reading documentation, filing issues, or engaging with maintainers. Stack Overflow posting activity has declined measurably as developers use private AI chat sessions instead of public Q&A. The engagement through which open-source maintainers earn their returns — direct user interaction, bug reports, community feedback — is being disintermediated by AI. The paper predicts this will reduce entry and sharing in open source, decrease variety and average quality, and could lower overall welfare even as individual coding speed improves.

This matters because the entire vibe coding ecosystem is built on open-source foundations. If vibe coding systematically weakens those foundations while depending on them, it is building on sand.

What the Infrastructure Looks Like

The vibe coding toolscape has evolved from basic code completion to what researchers now call “Agentic OS” — environments where AI has terminal access, browser access, and deployment keys. Tools like Cursor and Windsurf no longer just suggest code within an IDE. They plan multi-step tasks, execute them, encounter errors, debug the errors, and retry without human intervention.

McKinsey data shows 62 percent of organizations are now experimenting with autonomous AI agents that don’t just suggest code but actually ship it. The independent analysis at getpanto.ai summarizes the structural reality clearly: “The differentiator in 2026 will not be whether teams use vibe coding, but how explicitly they mitigate its failure modes.”

What This Means for You

If you are a developer, the question is not whether to use vibe coding tools. At 92 percent daily usage among U.S. developers, abstaining is increasingly a competitive disadvantage. The question is whether you are using them with the discipline to catch what they miss.

The practical framework emerging from developers who are navigating this well — documented on developers.redhat.com in a February 2026 analysis — separates vibe coding contexts from engineering contexts. Prototyping, internal tools, UI scaffolding, and data exploration are vibe coding territory. Authentication systems, payment flows, anything touching sensitive user data, and anything in production at scale requires engineering discipline regardless of how the initial code was generated.

If you are a non-technical founder or business user who has discovered vibe coding tools, the productivity gains are real and accessible. The risk is equally real. The Tea App breach was not a sophisticated attack. It was a Firebase instance left open with default settings. The OWASP vulnerabilities in 45 percent of AI-generated code are not exotic. They are the basics that professional developers learn to check automatically and that vibe coders who “forget the code even exists” will never check at all.

Vibe coding does not eliminate engineering effort. It redistributes it. The question in 2026 is whether you know where it went.

Follow more analysis at bintangtobing.com