What does Kingbird Solutions do?

Kingbird is a custom software development studio for non-technical founders. We build custom apps, AI chatbots, LLM integrations, and AI systems integration projects. We also take over stalled software products from other developers or agencies and ship them. Every engagement has senior US operator oversight and clean IP handoff.

Who hires Kingbird for custom software development?

Non-technical founders and small business owners — typically 5 to 100 employees — who have a software product that isn't moving. Usually because a developer left, an agency dropped them, or the team they hired couldn't finish. Domain experts with a problem and no senior engineer left in the room.

Do you build AI chatbots and LLM integrations?

Yes. We build AI chatbots, Claude and OpenAI integrations, retrieval-augmented generation layers, agentic workflows, and model routing as part of every engagement. AI-native from day one, not a Phase 2. We scope AI features as workflows with evals — not boxes to check.

Can you do AI systems integration across our existing tools?

Yes. Integrating AI into an existing stack — CRM, ERP, patient records, payments, support tooling — is one of our core engagement shapes. We handle the routing, retrieval, permissions, and fallback logic so the AI layer is useful instead of unpredictable.

Can you take over a project another developer started?

Yes. Takeovers are our primary engagement shape. We read the code, stabilize what's running, and ship the roadmap. Most takeovers land their first meaningful update inside 30 days. Takeover retainers typically run $6k–$18k per month from $75 per hour.

Do you build new custom apps from scratch?

Yes, under a fixed-scope sprint. New MVPs, AI chatbot builds, integration modules, and compliance layers. Typical fixed-scope engagements run $15k–$75k over 6–16 weeks and ship with a runbook your team can operate without us.

What does Kingbird cost?

Custom development starts from $75 per hour, blended across senior US oversight and delivery capacity. Takeover retainers typically $6k–$18k per month. Managed retainers $8k–$25k per month. Fixed-scope builds $15k–$75k. Stabilization Review is a flat $4,500 for a ten-day diagnostic with a written 30/60/90 plan.

You do. Every contract includes full IP assignment. Work happens in your repo, your cloud, your stack. No licensing, no vendor lock-in, clean handoff whenever you want it.

Phoenix, Arizona. The studio is fully remote and syncs to North American time zones with Mountain Time as the default for standing meetings. Chris King is the named US operator on every engagement from kickoff through handoff.

What if my industry isn't on your list?

If you're a non-technical founder with a stalled or unbuilt software product, we probably fit. Book the fit call — we'll tell you on the first conversation whether we're the right shop or point you somewhere that is.

← All Field Notes

Field Notes · No. 6

Your vibe-coded app is leaking: what the Lovable security breach means for non-technical founders

A Lovable vulnerability exposed every project built before November 2025. What founders running Lovable, v0, or Bolt apps should rotate, audit, or rebuild this week.

April 21, 20266 min readChris King / Kingbird Solutions

Field Notes dispatch: VIBE-CODED. EXPOSED. Every Lovable project before Nov 2025 was reachable by any free account. 18,000 users affected.

On April 20, 2026, security researchers disclosed that Lovable — the AI app builder — had left every project created before November 2025 reachable by any free-tier account. Source code, database credentials, AI chat history, and customer data. A researcher reported the flaw to Lovable via HackerOne on March 3. Lovable patched new projects but left older ones live for 48 days. When researchers went public Monday, Lovable's first public response called the exposure "intentional behavior" before walking it back.

One audited Lovable-built app contained 16 vulnerabilities. Six critical. Roughly 18,000 users' records were exposed.

If your business runs on an app built with Lovable, v0, Bolt, Cursor, or any other AI app builder, stop reading and rotate your keys. Then come back.

What happened

The flaw is a Broken Object Level Authorization (BOLA) on Lovable's platform API. Any authenticated user could enumerate other users' projects and pull the contents. The exposed surface covered source code, Supabase connection strings, AI chat history (including any secrets pasted into prompts), and customer records from whatever database the generated app connected to.

Researchers reported the vulnerability on March 3, 2026. Lovable rolled out a patch for projects created on or after November 2025 on April 2. Projects created before that date stayed exposed until the researchers disclosed publicly on April 20. That is a 48-day window where the flaw was known to Lovable, patched for new customers, and left live for existing ones. Accounts tied to employees at Nvidia, Microsoft, Uber, and Spotify were among those affected.

The compounding issue: Lovable ships apps that connect to Supabase without row-level security policies enabled by default. Supabase with RLS off will serve any row to any authenticated request. So even apps on patched infrastructure leak at the application layer if the person who prompted them didn't know to turn RLS on. Most non-technical founders don't.

Why every AI app builder has this problem

The studio has audited apps generated by Lovable, v0, Bolt, and Cursor on behalf of founders. They share a pattern.

Authorization is wired at the UI layer (hidden buttons, React guards). Not at the API. The server trusts whatever the client asks for.
Supabase or Firebase connections ship with admin-level keys in the client bundle.
Row-level security policies either don't exist or permit everything.
Environment variables with real production secrets sit in the generated repo.
Input validation lives on the happy path. The LLM does not think adversarially.

None of this is the AI's fault. These platforms optimize for time-to-first-demo, not time-to-safely-deployed. Founders who have never shipped production software don't know what's missing. They find out when something leaks.

What should I do this week?

Three actions. Today.

1. Rotate every credential the app has touched. API keys for Supabase, Firebase, Stripe, OpenAI, SendGrid, Twilio — assume exposed. If you built on Lovable before November 2025, assume your chat history was pulled, and any secret you pasted into an AI prompt is compromised.

2. Turn on row-level security. In Supabase: RLS on for every table, default-deny, then write explicit policies per table. In Firebase: tighten your security rules. In any custom backend: verify authorization runs server-side, not only in the UI.

3. Have a developer read the generated code. Not the product. The code. Every route handler. Every database query. Every auth check. Grep for embedded secrets. Verify admin routes are gated on the server.

If you don't have a developer who can do all three, pause the app and get an audit this week.

What an audit of an AI-built app looks like

A Kingbird audit of an AI-generated app is targeted at the failure patterns AI builders produce. It is not a generic security review.

The process runs two to five business days for a typical Lovable-sized app:

Enumerate every API endpoint. Test each one without auth, with a different user's token, and with malformed input.
Read every database policy. Compare it against what the UI implies the user can do.
Grep the generated repo for embedded secrets.
Verify admin routes are gated server-side, not only in the UI.
Review the LLM's chat history for anything that should never have been committed to the repo.

The deliverable is a written list of what is exposed, what needs to change in the next 30 days, and a runbook for turning on the security controls the AI skipped. If the app is salvageable, the studio patches and hardens. If the auth layer, data access layer, or payments code can't be repaired, we rebuild those pieces.

Who we are

Kingbird Solutions is a custom software development studio based in Phoenix, Arizona. The studio takes over stalled software products, runs managed development retainers, and ships fixed-scope builds for non-technical founders. A senior US operator, Chris King, is on delivery from kickoff through handoff on every engagement.

The studio built and ships BuddySOS, a consumer safety app with real customer data and real security constraints. The audit process above is the same one we run on our own code before a release.

Next steps

Five audit slots open this week. Pick the path that fits.

You want a fast read on whether your AI-built app is leaking. Run the Stalled Project Diagnostic. Seven questions, five minutes, a real answer. No signup wall.
You want the studio to audit the code this week. Book a 30-minute fit call. We'll tell you what an audit costs, what we'll likely find, and what comes after.
You already know you need an audit and want a fixed-price proposal. Book a scoping call with AJ. Fastest path to a contract.
You want a paid, low-risk review before committing. The Stabilization Review is a ten-business-day engagement at $4,500 flat. Written 30/60/90 plan plus a live debrief. You keep the plan whether or not we keep working together.

Whatever path you pick, do not leave a Lovable, v0, or Bolt app in production without an engineer reading the code. This week.

Related Field Notes