Launching today

Opviva
It proves your app's security holes, then fixes them
11 followers
It proves your app's security holes, then fixes them
11 followers
AI built your app in days — and shipped the security holes with it: exposed keys, open databases, broken access control. Opviva is the security agent you just talk to. Tell it what you shipped; it scans your live app, proves each exploit is real by reproducing it, opens the fix as a pull request you approve in one click, and keeps watching after launch. Free scan, no signup. Ship it — then just say "check it."







RiteKit Company Logo API
@varunkris proves the exploit, then opens the pull request with the fix, and lets the small ones auto-merge while risky ones wait for your one-click approval. That "prove it, then fix it" loop is a genuinely different bar than a scanner that hands you a list.
You launched without a demo video, and these land so much harder without one showing the flow — so I made you one, free, fully whitelabeled, no watermarks or strings. Drop it into your gallery now while the launch is fresh:
Built it with FoxPlug — it turns your real product updates into launch videos, posts and GIFs automatically. foxplug.com. Keep shipping.
@saulfleischman Honestly, this made my day, Saul — thank you. 🙏 You clearly actually dug into it, because "prove it, then fix it" is the exact thing we care most about, and most people skim right past it. That you took the time to put a whole video together means a lot.
And FoxPlug looks genuinely cool — turning product updates into launch assets automatically is a real pain worth solving, so serious kudos, and good luck with it. Builders showing up for each other on launch day is the best part of this whole thing.
the "proves it's real by reproducing the exploit" part is the right instinct, way better than a list of maybes. the case i'd want to understand: what happens when the fix is technically correct but breaks intended behavior, like an endpoint that was deliberately public and opviva locks it down because it looks like broken access control from the outside. does it have any way to tell "was this open on purpose" from "this is a bug", or does that risk land entirely on the human reviewing the PR
@galdayan Great question — you've hit the exact failure mode that sinks most "AI finds bugs" tools. Two parts:
First, for broken-access/IDOR we don't flag "this endpoint is open." We run it with two accounts (A = owner, B = attacker) and only call it a bug when B can pull a value that's genuinely private to A — with a specific gate for your case: that value must not also appear in B's own equivalent resource. If it does, it's shared/public data, not a leak, and we refute it. So a deliberately-public endpoint serving public data gets filtered out at the proof stage. That refutation is aimed squarely at "open on purpose."
Second, the honest part: anything that changes behavior (locking an endpoint down included) never auto-merges. It opens as a PR with the reproduced cross-account leak attached as evidence, and the final intent call lands on you. Safe, non-behavioral fixes auto-merge; anything that could break something waits for your one-click approval. For genuinely ambiguous intent, the human is the safety valve by design — the goal is just to make it a 30-second, fully-evidenced call instead of an hour of digging. Really appreciate you poking exactly here.
@varunkris the cross-account gate is a genuinely clever proof, checking whether B's own equivalent resource returns the same value is exactly the kind of thing that separates a real refutation from just pattern-matching "endpoint has no auth check." and keeping the human as the final call on ambiguous intent instead of pretending you can automate away that judgment is the right kind of honest. this is one of the more thought-through answers I've gotten on this thread. good luck with the launch.
@galdayan Means a lot, Gal — thank you. Getting that nuance right (refute the false positives, keep the human on the genuinely ambiguous calls) is the whole game, and it's rare to get pushed on exactly the right spot. If you ever point it at something real, I'd love your eyes on the output.
Ran the free scan on a side project and it actually pulled up a real auth issue I'd been ignoring, then dropped a clean PR for it. The "just talk to it" angle feels less gimmicky than I expected.
@denizpalantblu This genuinely means a lot, Deniz — thank you for actually running it on a real project. "Prove it, then fix it" (and "less gimmicky than expected" 😄) is exactly the bar we're going for. If you want it watching that side project long-term, or you hit anything rough, I'm right here — would love the feedback.
The fact that it actually reproduces the exploit instead of just flagging it is the real win — way too many scanners throw a wall of alerts. Skipped signup, pointed it at a side project, and it opened a tidy PR for a busted access control I'd honestly missed.
@csafiye39760 This is exactly the bar we're aiming for, Safiye — thank you. "A wall of alerts" is the thing we set out to kill; reproducing the exploit is how you cut it down to what's actually real. Really glad it caught that access-control gap.