Rogue developer wants to extort our startup. What would you do?

Someone is trying to extort our startup for random payment by threatening to post our codebase online or sell it to third parties.

An Iranian developer named Ali Eskandarpour applied to one of the jobs we posted on AngelList. Initially we were going to give him a contract for a test assignment. And we gave him access to two of our private repos to assess the assignment requirement.

But since he is in Iran, after consulting with our legal advisor, we realized that there are legal problems for US companies like us to do business with Iranian entities because the country is under sanction. So we told Ali that we unfortunately couldn't hire him.

He then threatened to post our codebase online for free (which he has downloaded locally), unless we send him $7000 in "wage compensation". Even though we did not hire him and he hasn't written a single line of code for us.

After we refused, he tried to sell our codebase to third parties, even posting a comment on our Product Hunt page asking for buyers (Product Hunt has since deleted his harmful comment from their platform).

Obviously, we are not going to subject ourselves to bullies, and we are not going to pay him anything.

Still, it sucks when things like this happen.

In the grand scheme of things, a product is so much more than the codebase. And the Soundwise codebase without the Soundwise product (including the team, the user community, the brand, the distribution behind it) is not worth much. Still, things like this is a damaging distraction when you know you have a lot more important things to focus on for your startup.

So what's the answer?

You may say, why didn't you ask him to sign a NDA? Well, we did send him a NDA to sign while we shared the code. That's what we usually do when we work with new team members. But in this case, this person never signed the NDA we sent. Would it have made a difference if we had made sure he signed the NDA before we shared the code? Maybe. But I doubt it. If the person is seriously trying to extort you, a NDA is not going to stop them.

I don't think the answer is to tighten the control, either. The team wants to be trusted and respected. They don't want to be, and shouldn't be treated as potential thieves. That would be very damaging to team morale. And overall we've had amazing experience collaborating with team members from around the world. We don't want to stop trusting people or give people real responsibilities. Still, extreme cases like this do happen. The world is not all enlightened honorable beings, even when you extend people the best intention.

I'm interested to hear everyone's view on this.

What would you do if you were us?

  1. 22

    First, obviously, don't send him the money. How do you know he isn't lying as well? For all you know he might take the money and sell the source code anyway. I mean, why wouldn't he? There wouldn't be any repercussions.

    Second, try your best not to worry about it and move on. Whatever company he sells the source code too probably isn't going to do anything remotely productive with it. They are almost guaranteed to not improve or innovate on the product in the slightest, nor penetrate any markets aside from any local ones. If anything they'll likely make their copy gradually worse over time and give up.

    Legally, I'm not sure there's much you can do. I don't think there's any legal action you could throw at him that would actually work since he lives in Iran.

    1. 11

      I agree with everything but I would also add one more thing. Never give anyone access to your company assets unless you have hired them officially and a contract has been signed. It still doesn't protect you from bad faith actors but in this case, if you had first waited to get the contract ready, you would not have even given any access and then he would only have empty threats at best.

      Stop replying to that person and move on. There are plenty of websites where source code for almost any app is being sold. Yes it sounds terrible as a business owner and I am not saying to completely downplay it BUT at this moment, your best option is to move on and focus on your business. As others have said, the real business is in having customers. Code is worth a few dollars at best.

      1. 3

        Me too, giving access to your assets to a potential hire before any signed contract was a bit unwise but I'm not sure it would have changed anything. That said, I'm pretty sure your code is covered by copyright so in theory you have legal leverage against whoever buys the code...but I think it's unlikely that some real company would buy a smuggled code base from some random guy

    2. 6

      Also, it would be wise to double check the code he got access to, just to assess if there's any potential security vulnerability that he or someone else could exploit for attacks to the platform. If this guy is capable of blackmailing people, then he could do much worse than that.

      1. 2

        Exactly! Once (10 years ago) India developers left a backdoor on one of my projects, and I got hacked later on.

  2. 8

    I'm sorry you had to go through this. Running a startup is hard enough. Getting blackmailed over the codebase you've worked so hard to build is way too much.

    Thank you for sharing. I was born and raised in Iran and apparently, I have 39 mutual connections with this person on LinkedIn! I just posted a thread on Twitter with your screenshots explaining what happened in Persian. A lot of people are replying and retweeting saying they're pissed that an Iranian would do this and abuse your trust, and they hope the readers don't mistakenly think this is common with Iranian developers. It is the first time I'm hearing something like this even though most senior developers in Iran are working remotely with foreign companies.

    1. 7

      @ardalan thank you 🙏 We are not lawyers and this was the first time we dealt with this type of issues, too. We initially sought advice from a legal advisor because the person wanted to be paid in cryptocurrency and we figured we needed some legal council on that. That was how the issue around hiring in Iran came about. We're still not clear what's allowed and what's not allowed, so we decided to not go ahead with this hire since the legality issue appears complicated. Unfortunately it turned into this whole drama.

      I fully agree with you this says nothing about Iranian developers. The individual is responsible for his choices. This can happen anywhere in the world.

  3. 5
    1. Don't send him the money
    2. Find out where that account is held and report it to them
    3. Report him to the authorities of whichever country he is in... yes, even Iran
    4. Contact every place online where he has an account and report him for extortion (and being a jerk)
    5. Prepare you product to get out ahead of any potential copycats... create brand loyalty
  4. 5

    I know it doesn't help, but the things happen even to the giants. Here's what happened to the CD Projekt Red - https://twitter.com/CDPROJEKTRED/status/1359048125403590660. Keep strong!

  5. 5

    If he lives in the UAE, then you should be able to take legal actions. It will be costly and it is not worth it. It is of course unpleasant experince and I feel sorry for this situation you are in , but you have learned a valuable lesson. This should not affect you in anyways, for most of products/software can be copied, and the real value is in your community and team as you mentioned. I advice you to hire people from countries in which you can take legal actions if similar thing happened. Make sure they sign the NDA and send you a copy of their passport before any access to company assets.

  6. 4

    ## What what I do?

    This is what I already do:

    • Only hire people from within your country so you get full protection.
    • Provide them a company laptop that is managed by Microsoft Intune so you can lock them out
    • Don't let them use personal email for access to third-party services, code base and cloud services
    • Rotate API keys regularly
    • Divide web-application into multiple codebases, and only provide access when needed

    This is what I would do in your situation

    Ignore them, rotate keys, and move on. If they had access to your customer data, then you may consider this a breach, inform your customers, and enforce users to reset their passwords.

    1. 3

      Tash has already said they don’t want to tighten controls but I do agree about being careful who you hire.

      Still, I don’t think they should ignore global talent especially if their company is open to remote work. Especially since the likelihood of something like this happening is very low.

    2. 1

      The second half of this is good advice, but I disagree with points 1 and 2 (and a little with 3).

      1. You don't have to only hire people inside your country to get the full protection of the law (unless your company does like national defence contracting, in which case why on earth are you on a legal advice forum 😅). You just have to hire people in countries that have both a) a functioning government and b) are tightly cooperative with your country. OP's mistake here was definitely specific to hiring a developer from countries like Iran or North Korea, which are explicitly NOT cooperative.

      2. Company laptops are good but they are literally and productivity-wise not free and so aren't a "must-have" for every IH company. You should use company-controlled hardware if you are revenue-rich enough to easily afford it and the time/personnel needed to manage it. They are also a must-have if your codebase is guarding someone's mission-critical data (like their location, finances, or health data). In all other situations, I think you have to look at the cost/benefit of these as a nice-to-have.

      3. Is mostly true for things like AWS, but my personal axe to grind as a developer is companies who think this is true for Github (and other sites with a well-fleshed-out org structure). You gain nothing by forcing your developer to make a separate "yourname-org" Github account other than annoying your developer.

      Points 3, 4, and "what to do now" though are all 💯 completely agree.

  7. 4

    the Soundwise codebase without the Soundwise product (including the team, the user community, the brand, the distribution behind it) is not worth much

    Very much on point so this is nothing to worry about. Ignore this guy and get your focus back on what matters - running your business.

    Still, I'm very sorry you got to experience this kind of "asshole-sery" in the first place and I wish you some karmic justice. Maybe some of his potential recruiters/employers will run by this page while doing his identity check - who knows :)

  8. 3

    As a 40 year developer residing in Iran, I should first apologize on behalf of my fellow Iranian developers for such unethical action from this so-called developer. Unfortunately you cannot take any legal actions towards this person that can be of value. Since he lives in Iran, you should hire an Iranian lawyer to press charges against him and that wouldn't work well coming from an American company. It could lead to political complexities as well.
    I have worked in many startup companies and after 20 years being in this job, I have realized that software codes only play a 20% role in a company's success. The other 80% is their logistics, HR, management, etc. So don't worry at all about your codes. He can do absolutely NOTHING with them. They are just lines of code with no meaning without proper documentation. As a professional developer, I won't understand my own codes after a while let alone codes from other sources! Many of my colleagues prefer to re-write a code from scratch rather than dealing with other people's codes.
    Kudos to you for exposing this person who has brought shame to his fellow countrymen and colleagues.
    Wish you the best.
    Rahman from Iran

  9. 3

    As an Iranian living in the US and working at big tech company who has lived here for over 11 years, I had to react and send this reply to apologize to you for this unprofessional behavior from this person even though as you already know, not all people are alike but it's just awful what he has done. I don't have social media and don't have any activity online but receiving this link from a friend really embarrassed me, and worries me that stories like this can cause harm to other Iranian nationals everywhere as they have over and over again.

    The problems with hiring or interacting with entities or persons inside Iran is not limited to people living there but even people like us here who have immigrated to the US legally with different forms of visa. When I was on a work visa before I became a permanent resident later, I did receive an offer from a top tech company in Seattle metro and was supposed to relocate there while I had quit my current job. The employer had missed my immigration status and country of origin although I had notified them of this fact. Yet 10 days before my start date while my car was being loaded into the relocation truck, I did receive a call from a top level manager at their HR that their legal department does not approve of me joining them. Being on an H1B visa after quitting my current job, this was a very devastating situation that could lead to my deportation from the country especially because this was a miss on their side and it was indeed very damaging to me in many aspects (emotionally, professionally, financially, etc) AFTER signing a legal employment contract. This was also at the same time that there were legal remedies for the employer to hire me by obtaining an OFAC license from the government but they had a policy to not do that. In the end of the day, this was a law by the government and they were not to blame for the law (although they were to blame for the miss in their recruitment process for at least 3 months of interviews and visa transfer while they had my passport and visa in front of them the whole time).

    I'm mentioning this just to emphasize that despite all of this hardship, I did not go do anything damaging to them or keep bad blood with them. Knowing their innocent mistake as a big company, they did help put me in touch with other employers that ultimately helped me receive multiple good offers within a couple of weeks. I didn't and don't see them as "racists" and they were happy to see that this mistake did not cause me any more serious damage than what it did right at my 30th birthday time for 2 very stressful months.

    Spending time and efforts to get a job or contract and missing on that is a very normal practice anywhere in the world in any industry, and this must not come as a surprise to this person, however, he seems to have an entitled mentality to demand money for breathing air. I can assure you this person would not make the amount of money he is demanding you as ransom even if he did work non-stop for a whole month or even a whole year. Unfortunately, this is the reality of modern age and we do have entitled people everywhere in Iran, the US, and elsewhere.

    What this person has done is absolutely disgusting and sadly, it will look bad on any other person from Iran living there or abroad not by you but by the fact that many people will read stories like this and this will create some unconscious bias for them. You absolutely should not give in to their demands and should not change your mindset about being trusting and open because this is a very critical factor for success in technology teams especially for startups. However, I have to add that being trusting does not mean that you should not take steps to protect yourself and your assets. I'm personally not a big fan of globalization and outsourcing work to other countries (which is a different topic I don't want to get into) but if you're entering this, please be very careful. It is common for developers in Iran to use UAE, Turkey, or other countries as their location and use a proxy in another country to receive payments in banks. Sadly, Iran has been under massive sanctions and the situation there for many people is arduous and very hard to even imagine for us here (I still have my whole family there so I know what's happening to them). I don't blame people for trying to make a better living with any tools they have but at the same time I don't want innocent entrepreneurs and companies to face courts and legal actions for not realizing some of these lesser-shared laws in the US.

    Last but not the least, I doubt there is much you can do since Iran does not respect any international laws and it will be a waste of time and money for you to go after them. I can also be sure sharing your private source code won't cause you any damage (as long as you make sure you have changed all the auth keys and such for security reasons). What you can do is to please make sure his identity is shared with the government so this person cannot use our big immigration holes to ultimately come here and do this at a bigger scale. It is at time like this that having a centralized database of people like him would be helpful for all governments and employers to vet bad actors and minimize their damage on others (at the same time, I also realize the great dangers of such a centralized database, unfortunately).

    1. 2

      @TexanKevin Wow, I'm sorry to hear you had to go through the ordeal of being given an offer and having it taken away for no fault of your own while on H1B. That must have been so very stressful. I'm glad things worked out eventually and you have a healthy, balanced perspective about that whole situation. And thank you for taking the time to post your very thoughtful comment. I hope more people see your comment and not take this article as reason to bias against a certain nationality, which is totally unjustified.

  10. 3

    I'm from Iran and one thing is for sure that an NDA is worth nothing because there's no way you can use it in Iranian legal system which is a rabbit hole.

    As you pointed out, the company is more than the codebase. I highly doubt anyone can replicate your company with the codebase. Also, I think this guys bluffing and he wouldn't be able to sell it that easily.

    One thing extra, this guy is now being called out in Iranian online (and probably offline) communities so his reputation is rightly so going to bust.

    Do not submit to bullies.

  11. 3

    You have my sympathies. Indiehackers have to deal with a lot of shit, and you certainly didn't deserve this. I really don't think you've done anything wrong.

    Focus on what matters: your company.

    Don't let this asshole distract you. As you yourself said, the codebase without the Soundwise product is not worth much.

    Sadly for Ali, the world is small and life is long. He just burned himself and his consulting business before a very global community. He may find new opportunities denied for other reasons than his country of residence from now on.

  12. 3

    Appreciate you sharing with this, and that's just yet another great lesson for all of to keep in mind when engaging with others.

    I wonder if there were some Github permissions that could have been set so that no singular person can have full "God Mode" access to the entire codebase.

    I totally agree with most others here that you shouldn't worry about others coming up with a competing product. It's very hard to put the codebase together unless there is a ton of business value.

    This all seems like a bluff, but that's purely my opinion.

    THAT BEING SAID, I do think you should be a little cautious about finding any security flaws with the codebase. i.e., were there any improperly stored private keys or is there something that they could do to exploit a code flaw.

    1. 2

      @kool you are right that this incident certainly is motivating us to improve security practices. In the long run that's beneficial to us. In the short run though, one more thing added to our already long task list :P

  13. 2

    Hi Tash
    I read about this situation you are going through. We start to share this in our community so this person never find a job in iran. And about legal action I have to say this person lives in Dubai maybe you have a chance.
    Again I am really sorry about this and we are trying to expose this idiot to other startups.

    1. 1

      @Alirezafirouzyar Thank you so much for your support 🙏Honestly like so many others have said in the comment, legal action would be so expensive and with limited effectiveness, especially given we are a startup with tight resources. We're simply trying to move on from this incident, putting it behind us and focusing on the product instead. This is enough of a distraction already. Thanks again for your support!

  14. 2

    Aside from all correct comments you receive that you should let it go, I'd like to thank you for exposing him and save trouble from someone else.

    You're being kind with being right.

  15. 2

    As an Iranian developer, I'm sorry about what happened to you. This is indeed blackmailing and is a disgusting action and I strongly condemn it.
    Just as everyone else noted, please don't yield to the blackmail at all. As you mentioned yourself, a product is more than just a mere code. And the Indian story is surely a bluff. No registered company lowers itself to be involved in this unlawful action.

    I also thank @ardalan for raising awareness. Because of his tweet, the Persian-speaking developer community is becoming aware and I can say that this person has lost his career and credibility and this deserves him right.

  16. 2

    I'll echo other's sentiments - as horrible as it is, the best recourse is to move on and continue to work on growing and promoting Soundwise. Competition isn't always a bad thing - it usually drives companies in the market to evolve and grow. If that happens, that's what you'd do. I have it on good authority that intellectual property laws here in the US (particular Patent law) isn't as strong as it once was and Patents don't have the teeth that they used to either.

    Blackmail never works out. In the information security community, we tell companies (and people) all the time - don't pay to unlock if you're attacked by ransomware. Even when paying, victims usually don't recover and it sets you up to be repeatedly victimized. If it worked once, it'll work again and again and again.

    You can reduce your risk by making sure that you have separate and different repos for your mobile apps, web app, and backend - each with its own access controls. I get not wanting to throw up a lot of roadblocks for collaboration but you also need to protect your intellectual property at the same time.

  17. 2

    Firstly THANK YOU for sharing this,

    The best learning is the sore stuff and sharing your experience and learning with the community helps us all and will help you move on from this.

    Firstly having your code in the wild isn't that big a deal, he needs someone who wants to buy it , and dependant on what stage you are the codebase he has will be outdated before you are worth a big sum.

    If you can alter the app to outdated his version of the codebase, with access to asset etc

    Work your way out of it , ittterate faster, move the product on quicker.

    As you quite rightly point out the company is much much much more than the codebase, its like ideas, the idea itself has little value, its the effort and quality of the execution that counts.

    Apple sell computers, we all know how to build computers and their architecture but we cant from this be apple, so be SOUNDWISE and learn from this and move on.

    Dont pay him a thing, cut him out and forget about him, when no one wants to buy the code he will realise its worthless, then let his reputation be destroyed he will go on and try mess up someone else, or hopefully learn that he has destroyed his chance with our communities projects and tainted all his countries coders, we wont remember his name but will remember the lesson.

    There is real a lesson about induction process for me in this and some good thinking about legal hires in a new remote global economy.

    Thanks for sharing, if anything I can do to help you guys even just to talk through and focus on the real problems you face, this guy is just an idol threat, your codebase is only worth something to him and its a snapshot of the code at time you have moved past already :)

    Welcome to the school of hard knocks, chin up x

    Best luck

  18. 2

    What kind of code are we talking about here? If it's some kind of algorithm that took you years to develop, this guy needs to find the right people who are competent enough to understand and use it.
    If it's just a CRUD API, don't think anyone will do anything with it.
    Even open source projects aren't interesting if no one is here to maintain it.
    Until you become the next Google, it's just some random leaked code from a random app posted on the internet by a random guy.
    You're probably better off ignoring him and spending your time on something else.

  19. 2

    Do nothing. Accept you've screwed yourself into an unwinnable battle and move on. Do not speak to him, do not speak of him and do not waste more time. Source code is NOT the only asset of a company. Now hope for the best - and please for your own sake do not do this again...

  20. 2

    I'm sorry to hear that you're experiencing this Tash.

    As hard as it is, it's probably best to just forget about it and don't waste any time or money on it.

    The only people that will take this guy seriously and even contemplate using your code acquired from him are other idiots who won't be able to achieve much with it.

  21. 2

    Get over it and move on, as others have said there is probably nothing really you can do and also you said yourself the code is worthless without the brand or product knowledge etc.

    On the other hand it's a good time to reflect and have the right measures in place that this doesn't happen again.

    Couple things you could try:

    1. Do your homework (Can you reasonably hire in that country?) or as others suggested only hire in the country you're at even tho this is sometimes not practical, same as a company laptop that's more enterprise level advice...

    2. Don't let people do assignments on the real codebase (Come up with a somewhat contrived example that they can solve, if they gain your trust and contracts are signed move on.)

    3. Make it clearer that this doesn't mean he's hired yet? Seems there was a misunderstanding or whatever that made him think to cancel his other gigs, now it's most definitely his fault, if I do consulting I count on nothing this shit happens all the time however it's always good to be absolutely transparent on your side as well and communication is always something to improve on from either side

    4. Ideally hire from people you know through introductions or the like, so much more valuable and pre-vetted you might have some slight issues but most likely not this extremely bad actor behavior.

    5. Something I can't think of right now 😎

  22. 2

    Hey Tash, This super sucks but it reads like as a company you're relatively immature.

    A lot has been said about this specific case so I'm not gonna, there's good advice here already. Use this stumble as a way to learn and create a more professional environment:

    • Talk to legal council before considering hiring anyone in general.
    • Talk to legal council specifically to assess risks when hiring from outside your country. Sanctioned countries would've definitely come up. As well as a hundred other risks that you currently don't know about.
    • Yes NDAs are essentially unenforceable across borders. Still you should never, ever send anything to people that don't sign an NDA. Consider this a huge red flag. Them having concerns about the NDA and wanting to discuss it though? Good sign, they're engaged and have attention for detail.
    • Adding potential hires to a Slack? Seems like a bad idea. It's good for potential hires to meet their potential coworkers but that should be in a controlled setting and a pretty late step in the process.
    • You're hiring someone, not going on a magical journey together. Maintain appropriate distance. Getting hired is a very stressful process so while you consider them just one of the applicants, it could actually mean quite a lot to the other person (up to the point where they do dumb, irrational things, as you have learned).
  23. 2

    Don't pay. Make it clear what you want him to do/not do. Get him banned from Angel list. Report his attempt at extortion to your authorities. Move on. Unfortunately trusted him too far too early but easily done. Best of luck.

  24. 2

    Sounds like you dodged a bullet in not hiring this guy.

    I'm sure there are a lot of developers on here that have the source code of their unsuccessful projects and that's because of failed execution, timing, etc. A business is much more than the source code, take it as experience and focus your energy on your business instead of this toxic human being.

  25. 2

    Wow, this is scary for sure. You've already mentioned the key point - the source code without the product team isn't worth nearly as much - and I think the thing to do is just move on.

    I'm not a lawyer, but I think I'd also be a lot more reluctant to publish their full name, contact info, etc. While it definitely feels good, and it's important that others (especially on industry sites like IH) know who not to work with, someone like this might be the type to try to bring a spurious lawsuit against you out of spite. The team will also inherit the attitude of leadership to some extent - the less attention paid, the faster you can all hopefully move on to shipping bigger and better stuff 👍

    Best of luck, and thanks for the warning - I'll keep this in mind for my own code in the future.

    1. 1

      I’m not an expert either but I think the law is the last thing on this person’s mind right now!

    2. 1

      "someone like this might be the type to try to bring a spurious lawsuit against you out of spite."

      I wouldn't worry. He can't afford it.

  26. 2

    Crazy story! It seems amazing that somebody with such a public profile would resort to these sorts of threats.

    That said, did you run this post past your lawyer? If not, you may want to do that.

    1. 1

      @Edwardmsmith you have a point. I probably should do that. Thanks.

  27. 1

    I'm so sorry that this happened and the inconvenience that was put upon you and your company. Recently, I have found it difficult to hire trustworthy contractors especially when I don't know them on a personal or even semi-personal level.

    In my opinion, the best place to hire contractors are through using the network you already have. Recently, my solution to hiring is through AskFora, where you describe what you need, and AskFora then helps find qualified people from your network. With AskFora, a client can find a contractor, get their job done, and pay them, all in the same day. I highly recommend it. If you have a chance to check it out, I'd be curious to get your thoughts on how it works for you.

  28. 1

    I am an Iranian software engineer. Please do not take this ugly and unprofessional act seriously. Iranian programmers are committed. Unfortunately, such people may exist in any country and in any job. Do not give him money and, if necessary, coordinate with other companies so that they do not hire this person. This person and others like him will do great harm to the Iranian programming community.

  29. 1

    As a Persian developer and on behalf of all Persian developers I am sorry for your inconvenience. We are not like him and please don't treat us as to him.

  30. 1

    Maybe there's a fraud blacklist somewhere that you could put him on so that it limits him from getting foreign coding contracts like this in the future, and if someone does end up buying his code they know they're getting it from a fraudulent actor. Seems like your options are limited now that he has the code, but you could try and impair his reputation.

  31. 1

    Thank you for reporting, your post is viral in all persian communities, this is a really bad experience for anyone

  32. 1

    First of all, your title of this announcement is violating the law of racism. I strongly advice you to find out the percentage of Iranian developers who are employed and professionally performing their duties all around the world. Do not magnify this issue. You simply could open a case against that guy and UAE government will appropriately penalise that guy. Secondly, you need a more professional and expert HR team in oder to work globally and use the potential of cheap abroad developers. Finally, I confirm as a R&D director of an Australian company that, NO single business would take advantage of that source code. We seek reputations not being blacklisted by other collaborators. Wish you good luck.

  33. 1

    First of all, it has nothing to do with nationality. Unethical developers (humans) can be found everywhere. There are a lot of talented highly professional Iranian developers in the market. So, I wouldn't present it like it is problem with specific nationality, this time happen to be Iranian, next time can be from anywhere. You only bring nationality to discussion when you want to know get legal advice about taking legal action in a particular country, not when you are talking someone's behavior. However, if he lives in Iran legal actions is not an option for you as American company. But if he has UAE visa should be easier to take actions there.

    Second, I agree that if some one wants to extort you, an NDA wont stop him/her, but if you send someone an NDA to sign and s/he is not sending it back, it is a clear sign to suspend further actions, and probably to be cautious about her/him in future. It is not to justify his behavior, since there is no way to do so, I am just pointing this out for future.

    Third, I think you already punished him very bad with this post. Already the topic is being discussed among Iranian developers and active developers already know about him, so it is gana be a serious problem for him to collaborate in big teams. You want to make it harder post it in LinkedIn too.

    Fourth, your story seems a little bit fuzzy to me. Usually you don't share the whole code (website and app) to evaluate a new employee to hire. There are billions of online services that are being used to evaluate programmers ability. As a IT startup you should know about them. The fact that he accessed the code, means you were an step further than just the beginning, if so, there should be a contract or agreement between you two. And if he really spend some time on your code after the initial agreement/contract, you should respect his time and expertise and pay the fees (based on your agreement). Again, this is not to justify blackmailing.

    Fifth, as an startup, you shouldn't worry too much about your code on this phase, your code is not the most valuable asset of your company. The vision and mission is. So, even if the code is out there, many people can fail it, and only the one who knows where it is going (hopefully it is you) can make it work. So don't worry about it. When your code is the most valuable thing in your company, you will know about it, and you wont share it easily with new employees. So, you can live your happy life and not worry too much about it, but keep in mind that if you have a competitor, an unethical one, they might know your design (they wont use the code if they are serious company). Be smart about your future development and have prepare yourself to have some surprised for your future updates, and everything is going to be fine.

    Good Luck and all the best ;)

  34. 1

    That's a shameful way to conduct business and I can only imagine how energy draining the whole experience must have been.

    Like everyone else said, forget about the moron and start focusing your energies towards your business. I wish you great luck in finding a much better and reliable resource for the work he was supposed to do.

  35. 1
    1. You did the right thing given what had happened at the point this became a crisis.

    2. I agree with @bjorkbat that the potential damage here is probably not existential assuming your company's advantage is in execution and not some trade-secret unpatented technology. You should rotate all the secrets in the codebase, though. Maybe also stop storing secrets in the codebase...

    3. Learn the lesson: not that all developers are evil and need to remain untrusted (we're not!) because I think you're right that that would hurt your productivity and your morale more than it would gain you in security. Rather, the lesson here is that you made a mistake by giving the codebase to a stranger who wasn't yet a part of the team. The codebase and the other internal documents are something a new team-member should get access to on day 1. By that point they( should have signed all the requisite paperwork and you should be committed to paying them for their time with all the requisite legal sign-offs. This guy was definitely acting in bad faith, but you need to be sure that if he had been acting in good faith and had, say, done two days of work for you that you would be able to pay him for that work. Otherwise you would be stealing from him.

  36. 1

    Damn, what a situation. As you mentioned, probably nothing you can do now about it, but I'm sure it won't be a problem for you later. Just continue doing your amazing work and forget about this whole thing 😃

  37. 1

    I would completely ignore him.

    Let him publish the code. The world won't care.

    First, code on its own is not enough. Your startup is not deep tech, so there's probably no insane computer science innovation in the code. Also someone would probably have to spend freakin' ages to understand it and be able to do anything with it.

    Second, your startup is much more than just code. It's the wanting to build a certain thing (not to mention the existing traction and customers). Anyone who got their hands on your code would first need to spend ages to understand it, and then care enough about the space you are in to replicate your business. If they wanted to copy you, they'd almost be better off starting from scratch. And by the way, trying to emulate you once they have the code base would be expensive. How much do you spend on salaries every month?

    Third, people publish things online the whole time, and no one bats an eyelid. Who is the target audience for this code, who's going to want to do anything with it? Is this guy going to be able to find that target audience? Naaaa, no way. He'd have to market your code effectively, and I really doubt he'll bother.

    Basically, he sucks, but he doesn't present any threat in my opinion. You should completely move on.

  38. 1

    ‘ I don't think the answer is to tighten the control“. Really? So if someone walks in to your house because you never lock the doors at night (“we like

  39. 1

    Sorry to hear it. This is a really awful story which can happen potentially with every company. What surprised me though, this guy felt so unpunished that he used a real name that can be found on Linkedin!

  40. 1

    This situation is very complicated. On one hand there is a developer who broke your trust and on the other hand there are developers around the world who you want to hire and trust them. I don't know why but I think you should have counselled to your legal team before hiring such dishonest developer.

    Now that the damage is done I would like to suggest that don't give him the money as he has already stolen your code and he would make one by selling them to third parties.

    Another point I want to make is be calm and cool and focus on your further tasks. Someone stole your code doesn't mean it is the end of the world. Change your codebase, rename classes, variables and functions to something meaningful. Take another approach to your codebase in terms of design pattern. Maybe your code must be spaghetti. Convert them in to a some meaning ful design pattern.

    Before hiring a developer please check his online reputation.

    Thank you

  41. 1

    My lawyer was just talking to me about hiring internationally, and he specifically warned me about hiring internationally with respect to IP ownership.

    Apparently, in various countries the laws area different enough around IP ownership that, even if you have them sign a contract granting you ownership or calling it a "work for hire," you don't necessarily get full legal rights to the work they contribute.

    Most of the time this won't matter, of course, but if you ever want to sell your company, it could surface during due diligence. And then you may be tracking someone down to sign a doc releasing the rights to you.

    As to the current issue: Best you can do is ignore it, as others have said. Lesson learned.

  42. 1

    I honestly think this sounds worse than it is. We like to put a lot of value on code because it is tangible. There is however a lot of value in the knowledge and effort that went into writing that code. You've talked with customers. You have a history of how you iterated your product. You have a vision for how to take the product forward.

    While there are some exceptions, most of the time having the code won't help anyone start the business you've started because it is just one piece of the puzzle. You said it best when you stated that the Soundwise codebase isn't worth much without the product.

    Consequently, I'd suggest modifying your interview slightly. I tend to go through systems design problems based on real issues that we've dealt with. Basically having someone sketch out how they would build something that we've already built. The decision boils down to: would the project have been easier or harder if this person had been around when we did the work?

    You get a good sense of what they are like to work with and whether they can solve the problems you have to solve without having to do a test contract or show them any of your IP.

  43. 1

    Nothing you can do. But you wanna know the secret? It won't matter. Your advantage comes down to business execution. It's going to be how you run the business, your processes that matter. Your code will also evolve. Unless you truly have a ground breaking code that no one in the world has, it won't matter. So focus on your business and best of luck. Next time don't give access to your private repo.

  44. 1

    Hi @ilovewordsworth, what a story. Code extortion. Well, if I were you, I'd also not tight the control. If he hasn't got access to any critical, restrict data/credentials, I'd simply ignore him. Easier said than done, as I'm seeing things from the outside.

    I believe you should turn your focus back to your company as much as you can. I wouldn't spend energy fighting it.

    You have the knowledge, the vision, the passion for your product.

    Curious to see your images, but seems like the links are broken. I wrote this post a while ago to help adding images here on IH.

    1. 1

      @Leo I totally agree with you regarding I should turn focus back to the company and the product. We've got so much to do. This kind of thing is super distracting though. I'm trying not to get distracted.

      Re images, hmm, thanks for the tip. they showed up fine on my side. in any case, here they are https://www.dropbox.com/sh/16kq9wa2v4pt1h7/AADRg7pqJvButGD7EV_N71KUa?dl=0

  45. -4

    This comment has been voted down. Click to show.

    1. 4

      Others can learn from this, at least I can, so I'm glad they posted it.

      1. -3

        This comment has been voted down. Click to show.

  46. 0

    This comment was deleted 7 months ago.

    1. 4

      You lost some time talking with us and waiting for a contract, which we decided not to offer eventually. I understand that this is frustrating to you. But hiring/looking for job is a frustrating and time consuming process on both sides. You're allowed to disagree with our decision to not hire you. But threatening to sell our source code as a revenge out of your frustration is absolutely unethical.

      We didn't send you a contract eventually because we decided not to hire you. Simple as that. It's a legally complicated matter for US companies to hire someone in Iran, and as such, we decided not to offer you a contract because of potential legal complication involved. This is not discrimination against any individual person. It merely reflects the fact that we have chosen not to take on more legal risks than necessary regarding hiring. And we have explained this to you.

      We gave you access to source code out of goodwill, and we expect a NDA to be signed. This is simply the right thing to do, regardless of whether you are eventually hired or not.

      I hope everyone reading this takes it as a lesson in your onboarding practices with potential contractors/employees.

      As a startup, we have so many things on our plate. So our interaction and onboarding process with potential hires is very informal. Most of time it is fine. And our previous experiences with remote hiring has mostly been great. That's why we didn't give a second thought about the process. But as you see here, extreme cases like this do happen. We could have been more careful and have more safeguard measures in place.

    2. 3

      Writing all in caps makes you come across even more crazy, FYI.

  47. 14

    This comment was deleted a month ago.

    1. 5

      That's a perfect reply. Totally agree with this. Facebook and Twitter clones/codebase is available too.

    2. 2

      This. Codebase without docs, env vars, infra setup is so hard to use

Trending on Indie Hackers
I'll try out your product and give honest feedback 12 comments SoundDemocrat Prototype 9 comments Do you panic when you don't get sales for a day? 8 comments I've bootstrapped a DTC brand to $35k in revenue in less than 6 months, AMA! 8 comments Roast my Website 😅 (No-code Founder) 6 comments Anyone else had NO success on Twitter? 5 comments