A vibe-coding platform with a potentially fabricated ISO 27001 certificate just left every pre-November 2025 project — source code, database credentials, AI chat history — readable by any free account for 48 days. And counting.

he first week of a new vCISO assignment, I always meet the same person. Their title says Platform Engineer. Or DevOps Lead. Or Senior SRE. But somewhere in the last year, they became the unofficial security team. They didn’t ask for it. They were voluntold—because they’re “the technical one” and security seemed adjacent to infrastructure. By the time I show up, they’ve been carrying something they can’t quite name. Here’s what it looks like.