Two real vulnerabilities. One false positive. Three advice conversations with Replit. Zero broken features.
Evident-AI is a study and document management platform built on Replit using PostgreSQL and OpenAI. Real users, real data, real login system — built without a traditional development background using AI-assisted development.
Like most apps built this way it worked perfectly. Users could sign up, upload documents, and use the AI features. But working and secure are two different things.
I submitted the Evident-AI GitHub repository to Verilay. The analysis read 18 files including package.json, auth middleware, API routes, database schema, and environment config. The result came back as a C grade with 2 critical findings and 3 warnings.
Two packages had known security vulnerabilities — protobufjs 7.5.4 and @google-cloud/storage 7.18. Both had patched versions available.
The OpenAI-powered endpoints had no rate limiting. A malicious user could make hundreds of requests per minute — running up API costs with no ceiling.
Verilay flagged admin routes as potentially unprotected. This was incorrect — Replit Auth was handling this correctly. The middleware was present but written in a pattern Verilay did not initially recognise.
Instead of asking Replit to fix everything, each prompt asked it to investigate and explain first. This is the advise not fix approach.
Conversation 1 — Dependency vulnerabilities:
I received a security review flagging protobufjs 7.5.4 and @google-cloud/storage 7.18 as having known vulnerabilities. Can you review these dependencies and advise what the actual risk is for this app, and whether updating them is safe?
Replit confirmed both were genuine. It updated protobufjs to 7.6.2 and @google-cloud/storage to 7.19. No features broke.
Conversation 2 — Rate limiting:
I received a security review noting that the OpenAI API endpoints have no rate limiting. Can you review the current endpoint structure and advise what rate limiting approach would work here without breaking existing functionality?
Replit agreed this was a real risk. It added per-user rate limiting — 10 requests per minute per user with a clear error message when exceeded. Total time: 20 minutes.
Conversation 3 — Admin route authentication:
I received a security review flagging admin routes as potentially missing authentication. Can you review the auth middleware and confirm whether these routes are actually protected?
Replit confirmed the routes were fully protected. The Replit Auth middleware was correctly applied. We marked it as verified in the report — false positive confirmed.
Working and secure are different things. Evident-AI worked perfectly before the scan. Users were logging in, documents were being processed. But two genuine vulnerabilities were sitting there quietly.
Not every finding is real. One of three critical findings was a false positive. Without the verify step — without asking Replit to investigate before acting — we might have tried to fix something that was not broken and actually caused a problem.
B is the right target. After fixing two genuine issues Evident-AI scored B. That is the realistic target for an AI-built app. B means properly secured for real users. A requires enterprise-level hardening that goes well beyond what any AI builder can automate.