THE ACQUISITION AUDIT: BUYER-SIDE SECURITY DILIGENCE FOR AI-BUILT SAAS

When we run a security scan within an hour of buyer takeover on AI-built SaaS purchased from Acquire.com, Flippa, or MicroAcquire, the recurring outcome is “at least one critical or high finding present at close.” This catalog ranks the failure shapes we encounter at handover and gives the buyer-side diligence flow that catches each one before the wire transfer.

If you are buying a vibe-coded app, the catalog below is your checklist. If you are listing one, it is the diligence question your buyer is going to run.

Catalog scope

We do not publish a corpus count of listings audited or the total spent because the engagement portion is anonymized by design. The diligence flow itself, reproducible against gapbench, is the part any buyer can verify before their next acquisition.

What is wrong on day zero

Findings recurrently present at the moment of close, classified by category and ranked by relative frequency.

The standout — and the one most likely to be missed — is “seller still has credentials.” Marketplaces require the seller to transfer admin access to the buyer, but they do not require — and do not verify — that the seller has rotated their own credentials, removed their personal email from the DB user list, or revoked OAuth grants on connected services. We routinely find the seller can still log in as admin a week after handover.

By marketplace

The differences are partly platform-mix — Acquire.com listings skew larger and more polished; Flippa listings skew smaller and earlier-stage. The seller-credentials-retained issue is more common on private deals because the handover is less mediated.

What sellers disclose vs what we find

Across the engagements:

• The modal listing includes no security disclosure of any kind.
• The minority that mentions security typically does not include a recent third-party audit.
• Compliance claims (GDPR, SOC2-ready) without supporting evidence are the exception, not the rule, and we have not seen one stand up to a five-minute check.
• Sellers do not, as a rule, disclose findings the scan eventually surfaces.

This is not a claim that sellers are dishonest. It is a claim that sellers do not know. Few of these apps have been previously scanned with anything close to this depth, and most builders cannot meaningfully describe the security posture of an app the AI built for them. The disclosure gap is structural.

The pre-close diligence we recommend

The steps that catch each finding class above before wire transfer. Each step has a clear gapbench reproducibility anchor so the buyer can practice the flow against a known-vulnerable target first.

The cumulative pre-close diligence that catches the modal critical-blocker categories: under 30 minutes of buyer time and $19. The cost of the criticals themselves, if exploited post-close, is unbounded.

CWE / OWASP mapping for buyer triage

For triage at handover, the categories below are the ones to gate the holdback clause on. Every finding the buyer-side scan surfaces should carry its CWE and OWASP tag so the LOI language can refer back without ambiguity.

The “seller-still-has-credentials” row is the under-disclosed one. CWE-732 (Incorrect Permission Assignment for Critical Resource) is rarely flagged by automated scanners because it is not a code-level finding — it is a handover finding. The diligence step is procedural: confirm the seller has rotated their own creds, removed their email from admin roles, and revoked OAuth grants. Verify by attempting the login.

What buyers should add to their letter of intent

Based on what we encountered, the pre-close conditions that would have prevented every “seller still has credentials” finding:

• Seller rotates Stripe, Supabase, Firebase, and any AI provider keys at close
• Seller removes their personal email from all admin/owner roles at close
• Seller revokes OAuth grants on Google Workspace, GitHub, Slack at close
• Buyer runs an automated security scan within 24 hours of handover; criticals trigger the holdback clause

We are happy to share template LOI language with buyers; ask for it via the contact form.

Methodology

Source. Failure shapes are drawn from anonymized buyer-side engagements between Jan 2026 and Apr 2026 across Acquire.com, Flippa, and MicroAcquire, focused on listings identifying as built on Lovable, Bolt, Cursor, Replit, or V0 in the typical hobby-to-mid-size price range. We do not publish a corpus N or aggregate purchase total because the engagement portion is anonymized by design and not a uniform random sample of all marketplace listings.

Scan timing. Each engagement was scanned within 60 minutes of admin-access transfer. The “at close” snapshot is the first scan; subsequent post-fix scans are not in this catalog.

Disclosure. Sellers were informed before close that anonymized findings would be published. No seller is named, no listing URL is published, no domain is revealed.

Limits. Per-engagement cost is not negligible and the disclosure burden is real, so the underlying engagement set is intentionally small. The failure-shape ranking is directionally meaningful; the absolute frequencies would have wide confidence intervals if we tried to publish them.

Calibration via gapbench. The buyer-side diligence flow described here can be practiced and reproduced against gapbench.vibe-eval.com scenarios that mirror each finding shape — without needing real acquisition spend. The clean control (ref0) is what a properly-audited target should look like under the same scanner.

Reproduce on the public benchmark

The acquired apps are not public for seller-privacy reasons. The diligence flow itself is reproducible against gapbench scenarios that mirror the finding shapes:

A buyer who has run the diligence flow against the gapbench scenarios first will recognize each finding shape on a real listing in seconds. The cost of the practice run is zero; the cost of skipping it is unbounded.

Sources and references

• gapbench acquisition-diligence scenarios. indie-saas (secrets in bundle), supabase-clone (RLS off), multi-tenant-saas (BOLA), mass-assignment, auth-system (seller-credentials-rotated probe), ref0 (clean control).
• OWASP Top 10 (2021) and OWASP API Security Top 10 (2023) for category mappings.
• CWE-798, CWE-862, CWE-639, CWE-915, CWE-732, CWE-942, CWE-352, CWE-770, CWE-209, CWE-319, CWE-1104. cwe.mitre.org.
• Companion data study. Where Vibe Coders Leak Their Keys — 2026 Frontend Secrets Report for the bundle-secret leak shapes.

Citations

VibeEval. The Acquisition Audit: Buyer-Side Security Diligence for AI-Built SaaS. May 2026. https://vibe-eval.com/data-studies/acquisition-audit-acquire-flippa/

Related

• Pattern walkthrough: The Supabase service-role key in your frontend bundle — the modal critical at handover
• Pattern walkthrough: BOLA in AI-generated CRUD
• Pattern walkthrough: Mass assignment
• Pattern walkthrough: Magic links, OTP, password resets — for the seller-credentials-retained class
• Data study: 2026 AI App Security Benchmark
• Data study: Where Vibe Coders Leak Their Keys
• Data study: Honeypot Supabase — what happens after the leak
• Guide: Solo Founder Pre-Launch Security Checklist
• Tool: Free Security Self-Audit
• Comparison: Best Security Scanner for AI-Generated Apps