Let's start simple. I am Dhanush (17M, a self-taught coder).
I found a company that sells productivity audio for the masses. They are a science-backed, AI giant in that market—let’s call them "B" for now.
They have their audio links tokenized (awesome), but the tokens are valid for 3 months. Those links can be fetched by anyone with basic technical knowledge. The server sends the full, unprotected file, and these links are generated in batches of ~40 at a time.
I contacted them through more than 50 methods (LinkedIn, X, Instagram, and even their freelancers). I even emailed the CEO directly(personal) to make them aware of this structural failure. To be ethical, I shared a SHA-256 hash of a proprietary file as proof of access rather than distributing their content.
Their account creation is even more flawed. They allow any string with an "@" symbol to act as a valid email, providing instant trials to their premium-only service with no cooling period or verification.
I understand that some companies allow "loopholes" to lower the barrier for new users, but this is different. This is their core Intellectual Property.
Finally, a developer replied. I explained that their links stay open for 120 days. He was professional and escalated the issue to management. He told me they would contact me, but no one did.
After over a month of silence from management and no fix, the developer told me: "Feel free to do what you want". They haven't patched the flaw, nor did they provide a certificate of endorsement or any validation for the findings.
So, I built a startup out of this experience. I created a platform where data is truly safe, using a "shred and spread" mesh method. It leverages the storage of cloud providers while ensuring they never hold a complete, readable file.
I have applied for the YC X26 batch with this. We are currently testing "Data Pools"—a public data-sharing community that allows for deduplication without compromising privacy.
Yes, that is possible, and we are building it now.
p_ing•19m ago
Of course it’s possible. There are multiple decentralized and fragmented solutions. This is a concept from the early 2010s.
Elevanix•2h ago
I found a company that sells productivity audio for the masses. They are a science-backed, AI giant in that market—let’s call them "B" for now.
They have their audio links tokenized (awesome), but the tokens are valid for 3 months. Those links can be fetched by anyone with basic technical knowledge. The server sends the full, unprotected file, and these links are generated in batches of ~40 at a time.
I contacted them through more than 50 methods (LinkedIn, X, Instagram, and even their freelancers). I even emailed the CEO directly(personal) to make them aware of this structural failure. To be ethical, I shared a SHA-256 hash of a proprietary file as proof of access rather than distributing their content.
Their account creation is even more flawed. They allow any string with an "@" symbol to act as a valid email, providing instant trials to their premium-only service with no cooling period or verification.
I understand that some companies allow "loopholes" to lower the barrier for new users, but this is different. This is their core Intellectual Property.
Finally, a developer replied. I explained that their links stay open for 120 days. He was professional and escalated the issue to management. He told me they would contact me, but no one did.
After over a month of silence from management and no fix, the developer told me: "Feel free to do what you want". They haven't patched the flaw, nor did they provide a certificate of endorsement or any validation for the findings.
So, I built a startup out of this experience. I created a platform where data is truly safe, using a "shred and spread" mesh method. It leverages the storage of cloud providers while ensuring they never hold a complete, readable file.
See the product here: https://flashmesh.netlify.app/
I have applied for the YC X26 batch with this. We are currently testing "Data Pools"—a public data-sharing community that allows for deduplication without compromising privacy.
Yes, that is possible, and we are building it now.