当初创公司请求免费安全服务时

A few weeks ago, I explored [redacted], a YC-backed AI backend platform. Like many security researchers, I tend to poke at new tools to see how they handle common attack vectors.<p>It didn’t take long to find issues, both in security and user experience.<p>## The Vulnerabilities<p>*Authorization Flaw*: [redacted] limits free users to 3 items, with a paywall for more. But their API doesn’t enforce this. Anyone can bypass the frontend and call the API directly.<p>This classic flaw means free users can generate unlimited content, paid tiers lose value, and the business model collapses.<p>*UX Problems*: The platform also has confusing navigation, inconsistent design, poor hierarchy, clunky workflows, and unclear onboarding. When the product experience feels this raw, security flaws are just another sign of neglect.<p>## The Response<p>I asked in their community channel about their disclosure process. The founder replied:<p>“hi [name], i just saw your message on the general channel. right now, we are not hiring, but people are helping improving the platform and this is a good test for the future, when we will hire people. if you want to contribute, feel free to report bugs or security issues to us. if security related, it&#x27;s best on private dms rather than on general channel”<p>Translation: <i>Please do free security work for us. Maybe we’ll hire you someday.</i><p>## Why I Didn’t Disclose<p>I withheld details because: - No bug bounty or acknowledgment system - Security research framed as &quot;free testing&quot; - Vague promise of future consideration, not present compensation - No disclosure policy or timeline - Overall lack of professionalism<p>Finding and responsibly reporting vulnerabilities takes skill. Expecting researchers to do it for free, especially from a funded startup, is unacceptable.<p>## The Broader Problem<p>This reflects a larger startup issue: wanting community help without paying for it. Companies routinely ask for unpaid QA, security audits, bug reports, and UX feedback while raising millions.<p>## What Good Companies Do<p>The best companies have: - Clear disclosure policies with defined timelines - Bug bounty programs (even small ones show respect) - Professional communication with researchers - Public acknowledgment for responsible disclosure<p>It doesn’t take much. Even a $10 gift card and a thank-you matter.<p>## Current Status<p>A month later, the vulnerability is still unfixed, and UX remains rough.<p>For users, this means inaccurate usage tracking, broken economics, possible deeper issues, and ongoing frustration. For the company, it reveals a culture where security, UX, and respect are afterthoughts.<p>## Lessons for Founders<p>*Security basics*: - Enforce all limits server-side. Never trust the frontend. - Publish a simple disclosure policy. - Respect researchers, we’re trying to help.<p>*Cultural basics*: - Don’t ask for free labor. - Treat feedback as valuable, not free QA. - Remember that first impressions last.<p>The security community wants to help, but not at the cost of undervaluing expertise.<p>Build secure products. Create intuitive experiences. Respect those who help you improve. Security debt compounds quickly, but UX debt kills adoption even faster.<p>---<p>Have you had similar experiences with AI startups expecting free security work? How do you handle companies that dismiss security?