When Startups Ask for Free Security Work

6•hdue•4mo ago

A few weeks ago, I explored [redacted], a YC-backed AI backend platform. Like many security researchers, I tend to poke at new tools to see how they handle common attack vectors.

It didn’t take long to find issues, both in security and user experience.

## The Vulnerabilities

*Authorization Flaw*: [redacted] limits free users to 3 items, with a paywall for more. But their API doesn’t enforce this. Anyone can bypass the frontend and call the API directly.

This classic flaw means free users can generate unlimited content, paid tiers lose value, and the business model collapses.

*UX Problems*: The platform also has confusing navigation, inconsistent design, poor hierarchy, clunky workflows, and unclear onboarding. When the product experience feels this raw, security flaws are just another sign of neglect.

## The Response

I asked in their community channel about their disclosure process. The founder replied:

“hi [name], i just saw your message on the general channel. right now, we are not hiring, but people are helping improving the platform and this is a good test for the future, when we will hire people. if you want to contribute, feel free to report bugs or security issues to us. if security related, it's best on private dms rather than on general channel”

Translation: Please do free security work for us. Maybe we’ll hire you someday.

## Why I Didn’t Disclose

I withheld details because: - No bug bounty or acknowledgment system - Security research framed as "free testing" - Vague promise of future consideration, not present compensation - No disclosure policy or timeline - Overall lack of professionalism

Finding and responsibly reporting vulnerabilities takes skill. Expecting researchers to do it for free, especially from a funded startup, is unacceptable.

## The Broader Problem

This reflects a larger startup issue: wanting community help without paying for it. Companies routinely ask for unpaid QA, security audits, bug reports, and UX feedback while raising millions.

## What Good Companies Do

The best companies have: - Clear disclosure policies with defined timelines - Bug bounty programs (even small ones show respect) - Professional communication with researchers - Public acknowledgment for responsible disclosure

It doesn’t take much. Even a $10 gift card and a thank-you matter.

## Current Status

A month later, the vulnerability is still unfixed, and UX remains rough.

For users, this means inaccurate usage tracking, broken economics, possible deeper issues, and ongoing frustration. For the company, it reveals a culture where security, UX, and respect are afterthoughts.

## Lessons for Founders

*Security basics*: - Enforce all limits server-side. Never trust the frontend. - Publish a simple disclosure policy. - Respect researchers, we’re trying to help.

*Cultural basics*: - Don’t ask for free labor. - Treat feedback as valuable, not free QA. - Remember that first impressions last.

The security community wants to help, but not at the cost of undervaluing expertise.

Build secure products. Create intuitive experiences. Respect those who help you improve. Security debt compounds quickly, but UX debt kills adoption even faster.

---

Have you had similar experiences with AI startups expecting free security work? How do you handle companies that dismiss security?

Comments

kjs3•4mo ago

So lemme get this straight...you did this 'research' without figuring out whether the 'target' will compensate you, or if they'd even care, and now you're on HN complaining that they aren't paying you something they never asked for, didn't promise you, and apparently don't want. That may not be a smart way to do things, but noone is asking you for something free, and I'm frankly mystified why you think you're owed anything under the circumstances you described.

Interview with 'Just use a VPS' bro (OpenClaw version) [video]

EchoJEPA: Latent Predictive Foundation Model for Echocardiography

Disablling Go Telemetry

Effective Nihilism

The UK government didn't want you to see this report on ecosystem collapse

No 10 blocks report on impact of rainforest collapse on food prices

Seedance 2.0 Is Coming

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

Dexterous robotic hands: 2009 – 2014 – 2025

Interop 2025: A Year of Convergence

JobArena – Human Intuition vs. Artificial Intelligence

Concept Artists Say Generative AI References Only Make Their Jobs Harder

Show HN: PaySentry – Open-source control plane for AI agent payments

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

The Crumbling Workflow Moat: Aggregation Theory's Final Chapter

Pax Historia – User and AI powered gaming platform

Show HN: I built a RAG engine to search Singaporean laws

Scams, Fraud, and Fake Apps: How to Protect Your Money in a Mobile-First Economy

Porting Doom to My WebAssembly VM

Cognitive Style and Visual Attention in Multimodal Museum Exhibitions

Full-Blown Cross-Assembler in a Bash Script

Logic Puzzles: Why the Liar Is the Helpful One

Optical Combs Help Radio Telescopes Work Together

Show HN: Myanon – fast, deterministic MySQL dump anonymizer

The Tao of Programming

Forcing Rust: How Big Tech Lobbied the Government into a Language Mandate

PanelBench: We evaluated Cursor's Visual Editor on 89 test cases. 43 fail

Can You Draw Every Flag in PowerPoint? (Part 2) [video]

Show HN: MCP-baepsae – MCP server for iOS Simulator automation

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety