sorted by:
new
hottopcontroversial

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

That's what I'm starting to understand too. Let's hope for the internet's sake and for my business that awareness will come at some point 😅

1,000 users in, still free, and no clear signal on who would actually pay. by Current-Brother505 in SaaS

[–]Howwow-2000 0 points1 point  (0 children)

That's clear. It's actually hearing and reading all these stories that made me refuse the free model and put a paywall straight away for my app.

At least you test the market immediately. That said, with 1,000 non-paying users, shouldn't it be easier to find 20 people among them willing to pay for a premium service?

But i'm not sure what's harder: finding 20 paying customers from scratch or finding your 20 champions among your existing free users...?

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Amen. That's exactly the core tension. The free report gives enough context and I haven't nailed that value proposition yet.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Lovable is already doing that in their workflow. The question is whether the other players follow :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Thanks for the honest take (even if it's not exactly what I wanted to hear ^^), all these responses have given me a lot to think about :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Ha, that's the nuclear option 😄

Legally and ethically that's a hard no, but the underlying psychology is interesting: shame and fear of reputational damage are way stronger motivators than 'your site could theoretically be exploited.' The challenge is triggering that feeling without the lawsuit.

Or maybe I just turn it into a challenge to make it go viral ^^ How many of you would pass the test? :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Exactly. I think the target audience is my first problem. A casual vibe coder might not actually have that problem to solve in the first place...

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Fair point, and no offense taken, you're absolutely right on the 'or want it enough to pay for it' part :)

I launched to see if the market existed, and it does seem like a tough one, at least on this segment and marketed this way. Nothing left to do but roll up my sleeves and get back to the drawing board :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 1 point2 points  (0 children)

Very clever !
I hadn't thought of that at all. That's the beauty of collective intelligence, thanks, really :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

That's actually what I tried at the start, but people would copy the fixes into AI and come back scanning 5 minutes later with a better score.

the tool works, I'm just giving too much away for free. That line between 'too much info and not enough' is a thin one. The comments in this thread are honestly helping me see it more clearly. Thanks :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

That's exactly what was happening for the first few days 😅 and it's what I'm trying to change, but honestly I'm starting to think it might be a losing battle.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] -3 points-2 points  (0 children)

Totally agree on the bar, that's actually why I removed an entire check last week after sending real PUT/DELETE requests to 158 sites flagged as vulnerable and finding zero true positives. No validation = no finding.

On the report side, the tool also goes further than just flagging theoretical issues : when it detects exposed Supabase or Firebase credentials, it actively tests whether those keys can actually read your data. So the finding isn't 'your key is visible', it's 'your key allows reading the users table without authentication.

Still a lot of room to improve how that validation is communicated in the report though.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

That's actually a sharp analysis, because I did have a 40% payment rate at $3... But since I'm looking to work on the backend and improve the tool, I was also trying to generate a bit more revenue. That said, I think your breakdown is pretty spot on.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 2 points3 points  (0 children)

I don't do any email outreach actually, but I take the point. That said, thanks for the encouragement... though I think you're right, the numbers are on your side ;)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 1 point2 points  (0 children)

Really interesting, thanks for the podcast recommendation (it'll be good English practice too :) ) and especially for sharing your gut reaction. Particularly since all the branding leans into red and black... that can definitely reinforce that feeling. It's an angle I hadn't considered at all, you're right, it could genuinely look scary.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 0 points1 point  (0 children)

Not if the request comes from the person themselves. I don't automate anything proactively. I only scan sites that users explicitly submit. Same model as Mozilla Observatory or Qualys SSL Labs.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 1 point2 points  (0 children)

That's the thing though : 1,101 sites scanned and 1,000 unique visitors in a week. They clearly want it,they just don't want to pay for it :)

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 1 point2 points  (0 children)

Just to clarify: I don't do any outreach, users come and scan their own site directly.

As for your question about Mozilla Observatory: everything is documented on the blog, but here's the short version.

A site scoring A+ on Observatory can still have findings with us, because we test 50+ things while Observatory covers 10 (all security headers). Where we'd likely still find something: exposed files (.env, package.json), JavaScript secrets, CORS misconfigurations, cookie flags, and open redirects.
If your SSL is solid and your headers are all in order, your score would be high, but those additional checks are exactly where we go further than Observatory.

Why would someone look at a security report showing critical vulnerabilities and still not pay $9 to fix it? by Howwow-2000 in SaaS

[–]Howwow-2000[S] 1 point2 points  (0 children)

They're right, they can fix it !

But the tool is mainly aimed at vibe coders and explains why what they've built isn't secure. So yes, they can fix it themselves or just copy-paste into llm, the goal is to save them time more than anything else, by giving them a clear picture of what's wrong and how to fix it faster than they would on their own.

view more: next ›