1
0 Comments

A stranger found real security holes in my product. I think it made it more trustworthy.

Hey Indie Hackers 👋

Something happened this week that changed how I think about "building in public," and I wanted to share the honest version, not the highlight-reel version.

What happened
I wrote a technical post a while back about a Supabase Storage bug I'd fixed on RamenHire. A reader left a comment pointing out that one of the RLS policies I'd shared publicly — not the bug itself, a different policy — would let any signed-in user read every uploaded CV in the bucket, not just their own. On RamenHire specifically, it wasn't actively exploitable (no real user accounts exist yet), but the policy itself didn't know that. It just said, "Anyone signed in."

Then the same reader came back. Twice more. Each time with something real: a gap in how file uploads were tied (or not tied) to actual applications, and eventually a second, near-identical broad permission I'd missed on a different bucket.

What I actually did
Fixed each one, verified it directly against production (not just "looks right locally"), and wrote it all up publicly — including a full audit afterward that turned up a few more things nobody asked about. Some I fixed immediately. One I deliberately left alone and documented instead, because fixing it properly means building infrastructure that doesn't need to exist yet. Full technical version, code, and all, is here: the technical write-up

Why am I posting the other half here?
What I actually want to talk about is the trust question. I built a product whose entire pitch is "we're the honest, transparent option." Then a reader found real, sometimes-not-flattering gaps in exactly that product — publicly, where anyone could watch it happen. And I'm genuinely glad it went that way. Getting called out in a comment section is a little humbling in the moment, but I'd take that over a quiet DM any day — the public version is what actually lets other people trust that it got fixed, not just take my word for it.

Curious what this community thinks: if you found a real security or trust issue in a product you liked, would you actually say something publicly, or default to a quiet DM? I'm not sure most people's instinct is to do it in the open, and I think that's a bit of a shame.

🍜 ramenhire.com

on July 15, 2026
Trending on Indie Hackers
641 downloads, 2 sales, and I still don't know why User Avatar 131 comments I sent 43 cold emails with my own tool. 17 replied. 1 paid. Here’s the unofficial launch. User Avatar 95 comments I built for one user. Myself. User Avatar 67 comments My AI agent quoted a client a price we killed months ago. So I built Engram. User Avatar 34 comments Got our first paid customers from an unexpected channel User Avatar 28 comments I came up with a great idea for a solo Vibe Coding project, and I'm testing it out right now User Avatar 22 comments