Vibe Coding: Programming Revolution or the Most Expensive Bullshit of 2025
Authors: Sigmatic Science
Picture this: you sit down at your computer, open a chat with an AI, and type: «Build me a task management app with authentication, a database, and a beautiful interface.» Twenty minutes later, you have a working prototype. You didn’t write a single line of code. You don’t even know what language it’s written in. But it works. You hit Deploy.
That’s exactly how Andrej Karpathy — former AI director at Tesla and one of OpenAI’s co-founders — described a new style of development he coined vibe coding in February 2025. «I just see things, say things, run things, and copy things, ” he tweeted, „and it mostly works.“ Collins Dictionary named „vibe coding“ their word of 2025. Within a year, this one person’s tweet had spawned a billion-dollar industry.
But «mostly works» — how much is «mostly»?
The Promise: 55% Faster
Early studies painted a rosy picture.
In 2023, GitHub and Microsoft ran a randomized controlled trial — the gold standard of evidence-based medicine, applied to programming for the first time. 95 developers were split into two groups: one with AI assistant Copilot, one without. The task: implement an HTTP server in JavaScript. Result: the Copilot group finished 55,8% faster.
One and a half times the speed. Sounds like a superpower.
Australia’s ANZ Bank ran a similar experiment with their engineers. Also a boost. A study of real industry projects showed development time cuts of 33–36%. The 2025 Stack Overflow survey reported that 84% of developers use AI tools — up from 76% the year before. Every other developer uses them daily.
But look at the fine print and the picture starts to blur.
The GitHub experiment task was a single HTTP server in JavaScript. Not a distributed system. Not legacy code with a decade of history. Not a bank’s mission-critical backend. A simple, isolated task with clear requirements. AI genuinely flies on tasks like these. The question is: does your workday consist of such tasks?
The METR Paradox: More Experience, Less Speed
In July 2025, research organization METR — the same group that evaluates AI model safety for the U.S. government — published results that sent shockwaves through the industry.
16 experienced open-source developers. 246 real tasks from their own repositories — not textbook exercises, but actual bugs and features from live code. Each developer solved every task twice: once with AI, once without. A randomized controlled trial with crossover design — methodologically airtight.
Result: with AI, developers worked 19% slower.
Not a typo. Not «less efficiently.» Slower. Before the experiment, the same developers had predicted AI would speed them up by 24%.
Where did the time go? Researchers measured it: developers spent fewer minutes writing code, but more time crafting prompts, waiting for responses, reading generated code, and fixing errors the AI introduced. Net result: a loss.
The Dunning-Kruger effect in reverse: experienced programmers knew enough to spot AI’s mistakes, but couldn’t stop themselves from spending time trying to «prompt their way» to the right result. They got stuck in a loop of «almost right, let me try once more.»
Stack Overflow’s results confirm the pattern: 66% of developers named «almost right but not quite» as their top frustration with AI tools. 45% said debugging AI-generated code took longer than expected. Overall satisfaction with AI tools dropped from 70%+ to roughly 60% in a single year.
But wait. If experienced developers lose time with AI, how do you explain million-dollar startups built without a single line of handwritten code?
The Gold Rush: When Vibe Coding Works
Swedish company Lovable started as GPT Engineer — an experiment in prompt-to-code generation. By November 2024, they’d transformed it into a visual app builder and relaunched. Within two months, revenue exceeded $5 million. At its peak, the platform was earning about a million dollars a day.
Forbes called Lovable the fastest-growing SaaS in history.
A non-programmer named FrameSage built a product through Lovable in 10 days and hit $50,000 in revenue. Brazilian EdTech company QConcursos, with 200 employees, created a premium version of their app in two weeks — instead of a year of conventional development. Restaurant platform Quick generated $120,000 in sales.
But the most jaw-dropping story is Base44. A non-technical founder used vibe coding to build a no-code platform. In less than six months: a team under 10 people, 300,000 users, profitable. Wix acquired the company for approximately $80 million in cash.
Eighty million dollars for a product built by someone who can’t code.
What do all these stories have in common? Three things. First: the founders knew their market intimately — they were solving a specific pain for specific people. Second: they were making money from day one, not waiting for a «perfect product.» Third, and most important: when AI couldn’t handle the backend or integrations, they hired people and rewrote critical pieces by hand.
In other words: vibe coding worked as an accelerator from idea to first revenue. But none of these products remained fully «vibe-coded.»
What happens when they do?
A Catalog of Catastrophes
The Deleted Database
July 2025. A startup uses Replit — one of the most popular AI coding platforms. Their AI agent manages the backend. Someone gives it a vague command: «Clean up unused data.» The agent dutifully executes SQL DELETE on a production PostgreSQL database. Company data — gone. Backup? The agent didn’t think of that. Sandbox? The agent was running directly on prod.
170 Apps with Exposed Data
CVE-2025-48757 — a critical vulnerability in apps built on the Lovable platform. The problem: no Row-Level Security in databases by default. Result: in roughly 170 applications, any user could see another user’s data. No authentication required. Just visit the URL and browse.
The «SaaSpocalypse»
By 2026, the AI skills marketplace OpenClaw had accumulated over 900 «skills» — ready-made modules for AI assistants. Developers installed them «by vibe, ” without review. Some of those skills were malicious. Result: remote code execution across thousands of enterprise servers. The press dubbed it the „SaaSpocalypse“ — a wave of SaaS incidents caused by AI-generated code without oversight.
The Indie Dev and the Two-Week Collapse
One indie developer publicly boasted that his SaaS was entirely AI-written — «zero handwritten code.» Cursor did everything. Two weeks after launch: random behavior in the product, API key overspending hitting the ceiling, users bypassing the subscription and creating arbitrary data in the database. The app became unmanageable.
The Numbers
Veracode’s 2025 report: 45% of AI-generated code snippets contain at least one vulnerability. Bright Security ran dynamic testing on an app fully assembled by an AI assistant: 4 critical and 1 high-severity issues — authentication bypass, IDOR, weak sessions. Static analysis showed «clean.» The vulnerabilities were invisible to automated scanners — only dynamic testing found them.
Specific CVEs from 2025–2026 read like dispatches from the front:
| CVE | What happened |
|---|---|
| CVE-2025-55182 | Remote code execution in Next.js — the framework generated by Lovable, Replit, and Vercel v0 |
| CVE-2025-55284 | Secret exfiltration via DNS queries from Claude Code — AI assistant leaked keys via prompt injection |
| CVE-2025-54135 | RCE on developer machines through MCP servers in Cursor |
| CVE-2025-31125 | Vite dev server exposed externally by AI assistant — full access to internal environment |
The pattern is always the same: AI tools get broad access to file systems, networks, databases, and servers. But control over configuration and dependency management is weak or nonexistent.
The Fault Line: Demo vs. Product
By this point, you’ve probably noticed the contradiction. Some studies say «55% faster.» Others say «19% slower.» Some startups sell for $80 million. Others collapse in two weeks.
There is no contradiction. There’s a fault line, and it runs right between demo and product.
On simple, isolated tasks, AI genuinely speeds things up. On complex systems with real users, it slows you down. It can produce a prototype in minutes. A reliable production system — no.
The comprehensive review «Vibe Coding in Practice» (2025) analyzed 101 practitioner sources and 518 behavioral accounts. The authors framed their central finding as a paradox: developers come to vibe coding for speed, but end up with a product that’s fast but flawed. They introduce the term «a new class of vulnerable developers» — people who can ship products but don’t understand what they’ve shipped.
Analogy: vibe coding is like a microwave. It reheats food in a minute. But if you try to cook a restaurant-quality steak in it, you’ll get a rubber sole. The tool isn’t bad. It’s just for something else.
Simon Willison — one of the most respected voices in the developer community, creator of Datasette and former Django contributor — draws an important line. If AI wrote all the code, but you read it, tested it, and understand it — that’s not vibe coding. That’s just using AI as a tool. Vibe coding begins where you stop understanding the code you’re accepting.
And that’s exactly where the problems start.
Anatomy of a Hangover
By late 2025, the euphoria had started to give way to a reckoning.
Traffic to AI coding tools globally dropped 76% over 12 weeks. Even Lovable, the «fastest-growing SaaS in history, ” swung from 207% growth to a 37% decline. The founder of Groove, who had built two AI products, publicly called vibe coding „expensive bullshit“ that had led thousands of startups into a hidden crisis.
The numbers back this up: roughly 95% of generative AI pilots fail to deliver measurable revenue or savings. 42% of companies in 2025 abandoned most of their AI initiatives — double the rate from the previous year. MIT and RAND estimate that 70–90% of AI projects don’t scale beyond pilot stage.
The problem isn’t AI itself. The problem is that people confuse speed of assembly with speed to market. It’s easy to «crank out features» — it’s harder to talk to users, validate willingness to pay, build support, analytics, and infrastructure.
As one analyst put it: «Vibe coding doesn’t accelerate the path to product-market fit. It accelerates the path to a first prototype. And those are very different things.»
The Truth in the Middle (But Not Where You’d Expect)
So what do we have?
Vibe coding works when:
- The task is simple and isolated (HTTP server, landing page, calculator, CRUD app)
- The goal is a prototype or MVP, not a final product
- The user understands the market and is prepared to finish critical pieces by hand
- Someone checks security and architecture before deployment
- The stakes are low: personal project, internal tool, marketing experiment
Vibe coding breaks when:
- The system is complex, with many components and integrations
- Code goes to production without review
- The developer doesn’t understand what the AI generated
- Security, scalability, and maintainability are critical
- The founder believes «AI will solve everything» and doesn’t hire engineers
The key word is control. The success stories (FrameSage, Base44, QConcursos) share one thing: people used AI for speed but didn’t hand it the steering wheel. The failure stories share something else: people handed over the wheel completely.
Who Can Be a Vibe Coder (And Who Can’t)
Here’s what nobody says out loud: vibe coding demands more competence from a person, not less.
A beginner is the worst candidate. They don’t know what they’re doing. They can’t tell working code from a ticking time bomb. AI generates an SQL injection — they hit Deploy and feel proud. They have no internal filter to say, «Wait, something’s off here.» A beginner with vibe coding is a driver without a license behind the wheel of a Formula 1 car. They can go fast. Not for long.
A specialist in one domain is also a miss. A brilliant frontend developer who decides to let AI whip up a backend with a database and auth? They’re a beginner at everything except layout. They won’t notice that AI put API keys directly in client-side code. They won’t understand why N+1 queries kill performance. They won’t see that the database schema is a house of cards. In their domain, they’re an expert. In someone else’s — the same beginner with the race car.
A full-stack developer, though — that’s a different story entirely. Someone who, over the course of their career, has built interfaces, written backends, configured servers, wrangled databases, handled deployment, and dealt with design. Not necessarily an expert in each of these areas — but they understand how they all connect. They see the system as a whole. When AI generates frontend code, they can evaluate it. When AI throws together API endpoints, they know what’s wrong. When AI proposes an architecture, they can see where it’ll fall apart in six months.
The irony is that vibe coding is marketed as a tool «for people who can’t code.» But it works best in the hands of people who can code everything.
The Safety Net: How Not to Crash into the Wall
Let’s say you’re an experienced full-stack developer and you’ve decided to vibe code. How do you keep AI-generated code from turning into a catastrophe in two months? The answer is control infrastructure. And you need to set it up before the first line of generated code, not after.
Linters are not optional — they’re mandatory. ESLint, Pylint, RuboCop — depends on your stack. AI generates code that «works» but violates hundreds of conventions: unused variables, unsafe patterns, deprecated API calls. A linter catches these automatically. Without a linter, every prompt is a lottery.
Code rules must be defined strictly and upfront. .eslintrc, .editorconfig, rules for your AI assistant in configuration files — as strict as possible. What naming convention? What patterns are forbidden? What’s the maximum function complexity? AI follows rules beautifully when you’ve spelled them out. When you haven’t, it invents its own. Different ones every time.
Prettier or an equivalent formatter is a must. Formatting seems like a minor thing, but AI-generated code without auto-formatting turns into chaos within a week. One prompt produces tab indentation, the next uses spaces. One adds semicolons, the next doesn’t. After a month, the codebase looks like it was written by twenty people in different time zones. In a sense, it was.
Full test coverage is the ultimate safety net. If vibe coding has one chance of surviving in production, it’s tests. Unit tests, integration tests, E2E tests. Here’s why: AI is excellent at generating tests — ask and it delivers. Then, with every subsequent prompt that changes logic, the tests will show exactly what broke. Without tests, you’re blind. With tests, you at least have radar.
Understanding project architecture — visually. This is a critically important point that almost everyone misses. You need to understand what your project looks like at the software level: what modules exist, how they’re connected, where data enters and exits, what dependencies exist between components. You don’t need to know every line — you need to see the map. If you can’t sketch your project’s architecture on a napkin in two minutes, you’ve lost control. And no AI will give it back.
The paradox: the more «safety net» you’ve set up before starting work, the more freedom you can give the AI. Linters, tests, rules, CI/CD pipeline — that’s not bureaucracy. That’s your parachute.
What This Means for the Industry
The industry is going through the classic Gartner hype cycle. The peak of inflated expectations («AI will replace programmers!») is already behind us. The trough of disillusionment («vibe coding is garbage!») is in full swing. Ahead lies the plateau of productivity, where these tools will find their real place.
And that place, based on the data, looks like this:
An AI coding assistant is a powerful tool in the hands of a competent developer. It speeds up routine tasks, automates boilerplate, helps with unfamiliar APIs and languages. According to GitHub, 934,000 Copilot users accept about 30% of suggestions — and that’s normal. It means 70% of suggestions are rejected because people spot problems. The tool works when a human is in control.
Vibe coding is a powerful tool in the hands of a competent entrepreneur. Not a programmer — an entrepreneur. Someone who knows their market, understands customer pain, and uses AI for rapid prototyping — but doesn’t try to build critical infrastructure on generated code.
Vibe coding is a ticking time bomb in the hands of someone who confuses a demo with a product. Rapid assembly creates an illusion of readiness. 45% of code with vulnerabilities, invisible technical debt, an architecture that collapses under first load — these aren’t code problems. They’re problems of expectations.
So Is It Good or Bad?
Remember the beginning of this article? Experienced developers 19% slower with AI. A startup with no handwritten code sold for $80 million. Both facts are true. They don’t contradict each other, because they describe different tasks.
If you’re an experienced developer working with a complex codebase you know like the back of your hand — AI will most likely slow you down. You’ll spend time on prompts, waiting, reading, fixing. Your expertise is worth more than generation speed.
If you’re an entrepreneur who wants to test an idea over a weekend — vibe coding may be the best tool available. But only if you understand that what you’ve built is a prototype. Not a product. Not a platform. Not a SaaS «for the ages.» A prototype that needs to be validated by the market and then rewritten properly.
Vibe coding is neither good nor bad. It’s fast. And fast is an amplifier. It amplifies both good decisions and bad ones. If you know what you’re doing, you’ll get there faster. If you don’t, you’ll hit the wall faster.
Only now the wall is made of CVEs and deleted databases.
Frequently Asked Questions
What is vibe coding in simple terms?
Vibe coding is a programming style where a developer describes a task in plain language and AI generates all the code. The key difference from simply using an AI assistant: in vibe coding, the person doesn’t read or review the generated code — they just run it. The term was coined by Andrej Karpathy (former AI director at Tesla) in February 2025.
Is it true that AI tools slow down experienced programmers?
Yes, the METR study (July 2025) showed that experienced developers solved tasks in their own projects 19% slower with an AI assistant. Before the experiment, they had predicted a 24% speedup. The reason: time saved on writing code is eaten up by prompting, waiting for responses, and fixing AI’s mistakes. However, on simple, isolated tasks, AI genuinely accelerates work by 33–55%.
How secure is AI-written code?
According to Veracode’s 2025 report, 45% of AI-generated code snippets contain at least one vulnerability. In 2025–2026, more than 6 critical CVEs were filed related to AI tools and vibe coding, including remote code execution, secret exfiltration, and mass access control failures. Static analyzers often miss these vulnerabilities — only dynamic testing catches them.
Can you build a real business through vibe coding?
Yes, but with caveats. There are success stories: Base44 (acquired by Wix for ~$80M), FrameSage ($50K revenue in 10 days), QConcursos (premium app in 2 weeks instead of a year). In every case, founders knew their market and hired people to rework critical components. Purely «vibe-coded» products without engineering oversight typically fall apart within weeks of launch.
Should a beginner learn programming through vibe coding?
This is a contentious question. Critics (including the ThePrimeagen community) argue that vibe coding creates an illusion of competence: a person ships products without understanding fundamental concepts. When something breaks, they can’t fix it. Simon Willison recommends using AI as a learning tool — but reading, understanding, and testing every line AI generates. In other words, doing the exact opposite of vibe coding.
Who is the ideal vibe coder?
A full-stack developer with broad experience across frontend, backend, databases, servers, and deployment. Not necessarily an expert in every area, but someone who understands how all the pieces fit together. They can evaluate AI output across every layer of the stack and spot architectural problems before they become catastrophes. Paradoxically, the people who benefit most from vibe coding are those who need it least.
References
Original
Related Articles
ENIGMA: How to Read Minds in 15 Minutes with a $2,200 Headset
ENIGMA reconstructs images from brain signals (EEG) after just 15 minutes of calibration, using less than 1% of previous methods' parameters. Works even with consumer-grade headsets.