All papersPilot · MIT

The Vibe Tax: Where AI Coding's Security Risk Moved To

Authors
Han Kim
Papers
IOV Labs · open study · 4pp · 2026-07-17

Abstract

AI-assisted coding has exploded and developers feel faster, but the security of that code is a separate question. We prompt two models (Claude Haiku 4.5, GPT-4o-mini) to write ten security-sensitive Python tasks two ways, fast versus secure, and measure the result three ways at once: a per-task vulnerability oracle for whether the code is actually vulnerable, the generic scanner bandit for whether tools catch it, and the model's own self-rating for whether it knows (pilot, n=40). Three findings. First, a vibe tax: asking only for speed raises the vulnerability rate from 20 to 50 percent, in both models regardless of vendor (Claude 10 to 40, GPT 30 to 60). Second, the risk has moved: models are now safe by default on the famous bugs, SQL injection, command injection, weak hashing, and the failures concentrate in trust, verification, and output, JWT signature skipping, unsafe deserialization, XSS, SSRF, path traversal. Third, scanner blindness: of the 35 percent the oracle flags as truly vulnerable, bandit detects zero, matching the industry finding that tools miss most AI vulnerabilities. Self-rating partially discriminates (vulnerable code 3.5 out of 10, safe code 6.6) but that judgment only fires when you stop and ask, not during generation. The implication is that vibe coding's danger is not AI writing visibly broken code, it is quiet trust failures that pass the scanner and slip past the fast developer, and the fix is systemic, not a plea for more caution.

Keywords

Download PDF