18 comments

[ 2.7 ms ] story [ 25.7 ms ] thread
(comment deleted)
This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.

If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.

Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.

A similar comment was posted on the PostHog post yesterday. Claiming everything is vibe coded without any proof is pure rage bait.
This is identical to a comment you wrote on the other story about these vulnerabilities that's higher up on the front page, which isn't great.
Why did you post the same comment twice? This is not Reddit, my friend.
$5k is such a small payout for this sort of finding.
It's actually pretty on-par for most bug bounties. They used the same exploit on a few programs and got $11k total which ain't bad return on time.
(comment deleted)
How is a company like mintlify getting so many big name customers for what appears to be a static site generator + hosting? Is there some secret sauce I'm missing, what is the value proposition?
Lots of these companies are YC companies, and they tend to use other YC products. For those that aren't, its easier to just use what other big names are using, and having YC as a backing name is quite useful in that regard.
fun fact: last BigCo I worked in had an elaborate architecture/security bar for new applications/features but offered a clever workaround - you could use a pre-approved solution and skip numerous quality checks and approvals, so every single PO was pushing for that specific solution.

The result? A static html with 500 ppl audience was billing a whooping 2k EUR a month, because that was the cost of that pre-approved architecture.

Best part - I was championing a company wide solution for that problem for over a year, which resulted in board level special operation with 100k budget only to get that budget snugged by people couple steps above the ladder.

> alongside, we can poison the nextjs cache for everyone for any site,

What??

isn't this actually XSRF and worse than XSS?

Also, if users can run arbitrary JS on someone else's server then what stops them from doing CPU-bound work such as crypto miners?

wow it felt like they were playing around lol
Wow this is interesting, however, the reward seems way too less to me.