I think one of the interesting parts in methodology is that due to structure of the integration between Lovable front-ends and Supabase backends via API, and the fact that certain high-value signals (for example, anonymous JWTs to APIs linking Supabase backends) only appear in frontend bundles or source output, we needed to introduce a lightweight, read-only scan to harvest these artifacts and feed them back into the attack surface management inventory.

Here is the blog article that describes our methodology in depth.

In a nutshell, we found:

- 2k medium vulns, 98 highly critical issues

- 400+ exposed secrets

- 175 instances of PII (including bank details and medical info)

- Several confirmed BOLA, SSRF, 0-click account takeover and others