30
21 Comments

Security bugs engulf ShipFast, a popular indie hacker's product, in drama

ShipFast is one of the most popular indie projects ever, but a wave of security bugs has thrown it into controversy.

Bugs on a laptop

Being one of the biggest names in the space, Marc Lou is always one of the most discussed indie hackers on the X timeline. He’s frequently praised… and frequently criticized. 

Now he's at the center of an explosive controversy that has drawn the entire indie hacking community into a debate over product quality, security practices, and the ethics of public bug reporting.

And it all began with a tweet from a fellow indie hacker.

Simon finds a bug

On October 18th, an indie hacker that goes by Simon quote-tweeted a post praising ShipFast’s affiliate program:

The tweet went super viral, pulling in four million views, and it was a precursor for the debates to come. There were people defending the merits of boilerplates and those who took the opposite position.

But Simon wasn't done. Later that day, he posted about an error with ShipFast’s server side validation:

With 11 million views, this tweet went even more viral then the first. As you’d expect, the discussion was much more lively than before, with many indie hackers feeling like Simon violated the unwritten rules around bug reporting.

Here’s John Rush with an accurate representation of the prevailing sentiment:

However, Simon didn’t feel he'd done anything wrong.

And he wasn't alone in that belief:

Marc, meanwhile, seemed completely unamused:

Little did he know that Simon was just getting started.

And another one, and another one…

On October 19th, Simon tweeted that he'd found a new Marc Lou-related bug.

This time it was a serious security vulnerability with IndiePage, and because of its seriousness, he sent him a DM instead of posting it publicly.

Later that day, he put ShipFast on serious blast:

He then criticized Marc’s use of SVGs instead of an icon library and how he was able to get ShipFast for free.

This seemed to spur a community security audit, as other people also began to find serious security vulnerabilities:

According to Simon, the reason for his crusade was simple: ShipFast is $200 and is used by a lot of people, so it deserves the highest level of security. So, if Marc isn’t going to respond privately, he has no choice but to post publicly

Justified or not, this got Marc’s attention, and not in a good way:

Unfortunately for Marc, it also got the attention of the rest of indie hacker X.

The boilerplate debate

After Simon’s numerous finds, many of the people who'd previously supported Marc Lou began to turn against him, with the consensus being that his response had been too dismissive considering the seriousness of the issues:

This then became a debate over what a boilerplate should be:

And how a boilerplate should be marketed:

Even Pieter Levels chimed in:

What does this mean for the future of indie hacking?

With this tweet, Marc put an end to this saga:

But the debates spurred on by the drama are sure to stay:

  • What should be expected from a boilerplate?

  • What is the correct way to report a bug?

  • And, as Dagobert puts it, is the indie hacking community becoming toxic?

It’ll be interesting to see how these questions are answered in the coming months and years.

Photo of Stephen Flanders Stephen Flanders

Stephen Flanders is an Indie Hackers journalist and a professional writer who covers all things tech and startups. His work is read by millions of readers daily and covers industries from crypto and AI to startups and entrepreneurship. In his free time, he is building his own WordPress plugin, Raffle Leader.

  1. 6

    The entire point of boilerplate code is that it takes care of something that is tedious, repetitive or time-consuming to implement correctly (such as security best practices).

    If, as the boilerplate author, you don't want to deal with such business-critical code, fair enough (I don't blame you); don't include it in your product.

    What you absolutely cannot do is release a paid product containing code with glaring security holes. If you assume the responsibility of writing security-sensitive code, it had better damn well be secure, end of story.

    Mistakes happen, of course. None of us writes perfect code. But acting as though this isn't a big deal is arrogant and irresponsible.

    It's also entirely irresponsible to blithely tweet details of a serious security hole that could affect hundreds of people using this product.

    In summary, nobody came out of this looking good.

    1. 1

      Agreed. One issue here is system fault tolerance and relying on a solopreneur traveling the world with a laptop for mission critical components in a SaaS app.
      Another issue here is a "boilerplate" or "jump start" vs. tried and tested systems and sub-systems. Marc is providing a "head start", not a sure thing. There are no short cuts to a commercial, safe 'n sane SaaS release.

  2. 4

    Simon's way of getting Marc's attention was very much uncalled for.. He could've quietly sent an email/a dm and should've waited patiently for Marc's reply, but I get that this is what people will do just for some engagement

  3. 4

    Its an interesting debate.

    Could he have shipped a better product in terms of security? Yes.

    Could he have handled it better instead of starting to block people? Yes.

    But the toxicity and jealousy this revealed in the community is just such a shame 🫣

  4. 3

    I think Marc ego didn't allowed to accept a random guy is proving him wrong and exposed problem in his codebase. He should have handled it in professional way.

  5. 3

    As usually, the problem came from the bad communication.

    Imagine a company with good communicators instead of Mark facing the same problem: someone found a serious bugs and told them.

    What would they do? No matter how responsible they are, if they are good in communication, they would start from thanking and assuring that the bug will be fixed as soon as possible. To show their level of respect to their users and responsibility, they would do it publicly, also.

    Note, I don't touch the point whether they would really start fixing the bug, I'm talking only about communication. Being a good communicator also goes side-by-side with understanding such thing as "reputation". Articulating the problem aloud, thanking the bug hunter - no matter how harsh he was, or how bad the bug was - is always good and lead to building a good reputation, and, as a outcome, bringing more paid users.

    Ignoring the problem, or even public hating those who dared to doubt in the quality of your product can lead to very bad consequences, bad reputation, lost customers, and eventually, to the oblivion.

    A good lesson for all of us.

  6. 2

    The whole story just felt like bullying / mobbing to me.

    With just the context here at hand, I suppose it's hard to not get defensive, when the first interaction can likely be interpreted as an insult to the thing you've built for a while. It may not have felt like a "funny comment" to the maker of the boilerplate. But once the poster could actually show problems, the maker needs to change their view of it.

    As an outsider to this story, I don't think the reporter of the issues makes the best impression here and the maker doesn't deal with it very well.

    I believe both sides could learn from this, if they'd want to:

    1. If you want the world to become a better place, be nice and allow others to improve themselves. Report problems in private, give credit in public.

    2. If someone tells you about a problem, even if done in a dismissive tone, don't ignore it. Try to remove the tone and think about the message.

    In my experience, if you have someone try to put you down by this: Be as nice as possible. You may add context to make the other side understand why you might have missed this. If they are still arrogant / dismissive: Other people may read your interactions. Who will they like more? The maker, who plays nice and improves even if they get insulted, or the reporter who tries to put them down whenever they can?

    And if you happen to be the reporter trying to be funny in front of your bubble: Understand that you are showing that you act like a bully. Try to become more diplomatic. Say sorry.

    Oh and the ones who started reporting more vulnerabilities in public after the initial interactions: That's mobbing. Do you really want to be part of it? Report your findings in private or offer help, if you want it to improve...

    1. 2

      Well said 👍 As someone recently said in a conversation, good communication seems like a lost art today.

  7. 2

    Very interesting and i think both point of view could be understandable. The thing is just to respect and understand that we are not robots but humans.

    Shit happens and it's not a reason to blame Marc or say it's a scam. At the same time i can get that Marc receive a lot of complain everyday and could be a bit annoyed, but at the same time these are feedbacks. As annoying as they are, they help to improve it's business and product !

  8. 1

    @Steve - are we aware if the product has had its major security issues fixed?

  9. 1

    I dont understand why people think the paywall is a protection, you can just copy another developer who bought the code. The protection is actually the legal document saying you are entitled to use his code. Otherwise, when you grow, you will be vulnerable to legal stuff and perhaps buyers will not want to buy your company from you or invest in it.... not a lawyer but thought to point that out to anyone that thinks that simply copying code = ownership....

  10. 1

    Thank you for the great overview! I was very interested in this but don't use twitter for reasons. :D

  11. 1

    I'm using the Ship fast boilerplate. Why Marc is criticized? Even no one is perfect in this world. time flies and code will improve through community suggestions and bugs reports. even big giants have the security issues in their code. I've been in this space from last 10 years with the specific niche n dashboard development. Still we are figuring out the best possible code.

    1. 1

      This comment was deleted 2 months ago

  12. 1

    I love Marc to the moon and back. Man has really inspired me to be an Indiehacker and take my future into my own hands. He's even the reason I took my Django very seriously and stopped worrying about tech stack for the time being but I still have something to say about this whole saga;

    He clearly didn't handle it well. As someone who has created his marketing around shipping fast, not using type-safe code and not running tests, I see why this backlash might hurt his feelings but clearly, there were better ways to handle it.

    Marc has secured a place as a legend (to most people) in the Indiehacker space and one thing that comes with fame is scrutiny; I mean, take Justin Bieber for instance. Lol, not the same but you get my point.

    I just think one of the things this would bring to the "ship-fast" ideology is a "ship-safe" ideology too, especially when boilerplate code is the product being sold.

    Either way, I still want to be like Marc, as I'd love to be like Elon; just in some ways.

  13. 1

    Thanks for the write-up! I saw the tail end of it on Twitter and this was a great way to get full context.

  14. 1

    Interesting debate

    1. 1

      It really is. Any thoughts?

  15. 1

    This comment was deleted 2 months ago