- Aditya's Newsletter
- Posts
- Do You Choose Speed Or Security?
Do You Choose Speed Or Security?
A story about indie hacking, shipping fast and security
We are now a community of 258! Thank you❤️
This newsletter is free and I don’t use paid advertising. I completely rely on organic growth through users who like my content and share it.
So, if you like today’s edition, please take a moment to share this newsletter on social media or forward this email to someone you know.
If this email was forwarded to you, you can subscribe here.
If you want to create a newsletter with Beehiiv, you can sign up here.
In The Matrix (1999), Morpheus offers Neo two pills - red for reality and blue for going back to the simulation. For movie watchers, the choice is probably easy - obviously red (maybe not?).
But what if it’s your life and you are a business owner - a software business, to be more specific. You are confronted with a choice - speed or security?
If you choose speed, you can launch faster and capture the market. You get to be ahead of the competition and be a leader. On the flip side, you can get attacked by hackers and lose your money and customers.
If you choose security, you get credibility and the chance to grow faster as your business becomes larger. You also get to keep your transactions, revenue and project safe. On the flip side, your initial growth might be slow; even slower than you can tolerate and your project might never make the money you dreamt about.
The Marc Lou (ShipFast) Controversy
Marc Lou and some of his products
An indie hacker (me, for example) is a person who makes micro-SaaS (apps, websites, etc.) to make money.
Some of the famous (and rich) ones include Pieter Levels, Danny Postma and Marc Lou.
Two years ago, Marc was making nothing. He had one failed product after another but he had battled through depression and decided not to give up. Indie hacking was his passion and he kept shipping one micro-SaaS after another.
And then something clicked - Shipfa.st, a Next.js boilerplate to make SaaS, by Marc became a grand success. Marc currently makes over $50K/month by selling his SaaS boilerplate for nearly $200.
It was all smooth sailing (after years of hard work) since the last two years. More money than ever before, some more side income projects, a growing list of followers on X and YouTube, until…
On 13th October, Marc tweeted this:
He hacked my site... So I paid him $300.
@JonasScholz19 emailed me yesterday about potential security issues on DataFast.
- He didn't ask anything
- He didn't post it publicly
- It was legitSo I sent him $300.
We are a small community of ambitious people trying to never work… x.com/i/web/status/1…
— Marc Lou (@marc_louvion)
12:45 PM • Oct 13, 2024
Some responses were positive - guy finds something wrong with Marc’s project, Marc thanks him and pays him and fixes the vulnerability. All good. Some responses were - just $300? After all Marc makes $50K, isn’t $300 too less?
But, some others thought even more - What if there were more security vulnerabilities?
Lo and behold…
A 20-year-old developer named Simon found multiple issues with ShipFast including insecure mailgun webhooks, lack of server-side validation and the fact that you can get ShipFast for absolutely free by bypassing the paywall!
Multiple indie hackers then proceeded to reach the same vulnerabilities by themselves or discover new ones even with some of Marc’s other projects.
For example, one of my mutuals on X, Samar discovered that ShipFast was also exposing customer data!
If you are an indie hacker, you could be living under a rock to ignore this @shipfa_st security issues.
Marc's product has some serious problems.
1. It's super easy to get passed the paywalled content. spent less than 5 minutes and I was in.
2. Shipfast is exposing user's… x.com/i/web/status/1…— Samar Kundal (@thesamarkundal)
7:04 AM • Oct 22, 2024
Marc’s response to the now escalating situation was just horrible. Anyone could react and go wrong in such a situation. So did Marc.
He began with blocking anyone who exposed the vulnerabilities.
I was a virgin, an hour ago.
I've never blocked anyone after 3 years on Twitter.
But my feed in the past 30 days is made of developers who think the world can be fixed with more tests.
Dozens of people try to screw my sites every day. And they claim a CRITICAL VULNERABILITY… x.com/i/web/status/1…
— Marc Lou (@marc_louvion)
12:45 PM • Oct 21, 2024
And, then proceeded to call indie hacking a '“witchhunt”. This was a statement in very bad taste. Marc’s customer base are the indie hackers who make products using his boilerplates.
"Ethical hacking for the good of the community"
BS.
- My server logs are on fire
- Hundreds of bots crawl my API endpoints all-day
- They abuse my support, pretending to be customersSo
- I fixed the ShipFast paywall (you can't get it for free, sorry)
- I hired someone to… x.com/i/web/status/1…— Marc Lou (@marc_louvion)
10:38 AM • Oct 22, 2024
Of course, some of his points are agreeable. Anyone who has ever run any kind of business knows that it’s easier to point out mistakes than to actually build something.
But, Marc’s reaction lacked empathy, acknowledgement for the genuine people who informed him of the bugs and a promise to fix all the bugs to avoid any inconvenience to his customers.
Thankfully for Marc and rest of the community, he took some time and went ahead with some course correction:
Twitter, let's talk?
— Marc Lou (@marc_louvion)
12:05 PM • Oct 24, 2024
In the video, Marc finally apologizes, acknowledges his mistakes, and promises to prioritize the fixing of any security issues with ShipFast.
Back to the dilemma - security vs speed. Simply put, in Marc’s case, this dilemma did not exist 2 years back. He was making $0/month. Security was the least of his concerns.
His aim was shipping multiple products out as soon as possible to make money. After just a few customers, he should’ve focused on any security issues.
He didn’t. He forgot about security and went all in on marketing which made him more-and-more money up until the last week.
Anyways, Marc is (hopefully) now on the right track.
And, finally, my answer to the question in the title -
“Do You Choose Speed Or Security?”
Both.
On another note, if you are looking for a SaaS boilerplate that you cannot get for free by bypassing the paywall (sorry, Marc), check out OneMix by SaaS King.
Learn AI in 5 Minutes a Day
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
Did you like today’s newsletter? Feel free to reply to this mail.
This newsletter is free but you can support me here.
Reply