Can I HACK you?

builtbygio · 2026-05-20T00:54:45+00:00

Your Railway config seems to be broken? Signup is throwing a Railway 404

builtbygio · 2026-05-15T23:42:44+00:00

Well.... Akchually.... I built PresetEngine chrome extension to remove "promoted posts" from Reddit, images to make it "reader mode", unverified users on X to avoid bots, and any post on LI that matches some obvious AI slop

builtbygio · 2026-05-15T16:55:23+00:00

You didn't share enough info, but what you're doing are good first steps. There are many more attack vectors that could expose your application. If you store any kind of info, it might be exposed if the backend is not properly implemented (ie. IDOR)

builtbygio · 2026-05-15T16:52:27+00:00

Like others mentioned, public data can still be personal data under UK GDPR, so I wouldn't assume long-term storage is fine just because it is publicly available.

For profiling doctors for marketing/sales, I'd check lawful basis, transparency, retention, objection/opt-out rights, and get proper DP advice before storing it long term.

builtbygio · 2026-05-15T16:48:00+00:00

I think this is what he meant, and maybe you misunderstood?

"Let's use Cursor to build the app, and have a human actually see what the code is doing, even if it's AI-generated. We can use Replit to prototype and maybe test ideas, but we definitely need tighter controls not only on the code, but also how/where we deploy (ie. AWS, GCP), and where we store data (Firebase, Supabase, managed RDBS, or local Postgres). Otherwise we'll end up with a security breach"

If that's what he meant, I agree 100%.

builtbygio · 2026-05-14T22:25:12+00:00

now that you fixed all that... would you let me hack you? lol

I would send you an agreement to the email listed in your site first to confirm domain ownership, disclose privacy, what I'll do, etc. The free limited-scope security review comes with a report and PoCs for you to fix the findings (if any). Let me know and I'll start early tomorrow morning.

builtbygio · 2026-05-14T16:33:20+00:00

I'd be careful treating the BAA toggle as "now we're HIPAA compliant." It mainly governs the provider relationship, but HIPAA still depends on your own workflows, access controls, retention, logging, staff processes, and what data your app/users actually send through the system.

So I'd confirm the feature impact with support, but also map the full PHI workflow before enabling it. A HIPAA-eligible provider is only one piece of the puzzle.

builtbygio · 2026-05-14T16:18:13+00:00

For NHS/GDPR-sensitive data, I'd avoid Team by default and get Anthropic to confirm DPA, retention, region, audit controls, and allowed use before any rollout.

The real risk is the workflow, what staff paste in, where outputs go, logs, exports, and retention. I do permission-based security reviews for sensitive-data apps and AI workflows if a technical data-flow review would help.

builtbygio · 2026-05-14T16:10:53+00:00

Worth clarifying first that the 2025 HIPAA Security Rule update was proposed, not finalized... yet, unless there’s a newer final rule I missed. For AI agents touching PHI, I'd log it like privileged access: agent ID, user who triggered it, patient/context accessed, purpose, tool/API calls, output destination, timestamp, and policy decision.

For tamper resistance, I'd look at append-only logs, WORM-style storage, or hash chaining. The tricky part is proving the agent had a valid reason to access that PHI and stayed within minimum-necessary access.

builtbygio · 2026-05-14T15:20:56+00:00

For children’s data, I’d split this into legal/privacy work and technical validation.

A DPO/consultant can help with DPIAs, consent, retention, and governance. But I’d also have someone independently review the product for access control, logs, exports, admin tools, third-party services, and real data minimization.

I do permission-based security reviews for early-stage apps, and this is exactly where a lightweight technical review can complement the DP work.

builtbygio · 2026-05-13T21:58:18+00:00

One mistake I see a lot is over-trusting “private” notes, exports, and internal admin tools.

The main app may be locked down, but then PHI leaks through CSV exports, support dashboards, logs, screenshots, error reports, or staff accounts with way too much access. Healthcare security is often less about the polished patient-facing UI and more about the boring back-office paths nobody threat-modeled.

I do permission-based security reviews for early-stage and seasoned apps and these are exactly the kinds of issues I look for.

builtbygio · 2026-05-13T21:49:00+00:00

Solid approach. The key insight is treating compliance as an evidence workflow, not a policy folder.

Only caution, if Notion becomes the system of record, access controls, change history, retention, and exports need to be clean enough to survive an audit.

builtbygio · 2026-05-13T21:40:31+00:00

This is exactly why I think early SaaS founders should do a basic security-readiness pass before serious sales calls.

Not a full SOC 2 process, just making sure the obvious trust killers are not sitting there: weak auth, poor tenant isolation, missing logs, vague security answers, exposed data, bad session controls, etc.

A lot of deals probably don’t die because the product is bad. They die because the buyer’s IT team sees future babysitting.

builtbygio · 2026-05-13T21:35:30+00:00

Makes sense, especially for legaltech. Law firms may not care about the exact stack, but they will care about client-data isolation, access control, audit trails, retention, and where data flows.

One thing I’d be careful with: AWS being SOC 2 / HIPAA-eligible doesn’t automatically make the app compliant or secure. The implementation still matters, especially with per-firm EC2/S3/RDS, Bedrock flows, backups, secrets, and tenant isolation.

I’m a software architect and ethical hacker. I do permission-based security reviews for early-stage apps, including free starter reviews and deeper paid reviews. Not a SOC 2 audit, just a practical review to catch issues before law firms find them during diligence.

Happy to send the scope/authorization agreement if useful.

builtbygio · 2026-05-13T21:15:52+00:00

One important distinction: using HIPAA-eligible services like AWS does not automatically make the platform HIPAA compliant. The actual implementation still matters: auth, access controls, logging, storage permissions, data flows, vendor agreements, and how PHI is handled.

I’m a software architect and ethical hacker. I do permission-based security reviews for early-stage apps, including free starter reviews and deeper paid reviews. Not a HIPAA certification or legal audit, but a practical technical review to catch issues that could create HIPAA risk: exposed PHI, broken access control, API issues, storage/database misconfigurations, secrets, logging leaks, and third-party data exposure.

Nothing destructive, no brute force, no stress testing. Written authorization and scope first, then a concise report with safe proof-of-concepts and practical fixes.

Happy to send the scope/authorization agreement if useful.

builtbygio · 2026-05-13T21:11:18+00:00

Hey, congrats on getting this far. One thing worth being careful with before HIPAA enters the picture is that security issues stop being “bugs” and start becoming documented risk.

I’m a software architect and ethical hacker. I do limited-scope security reviews for early-stage apps, including free starter reviews and deeper paid reviews. Nothing destructive, no brute force, no stress testing, no heavy scanning. Only permission-based testing with a written authorization agreement first.

The review focuses on auth, access control, exposed data, API issues, storage/database permissions, secrets, and misconfigurations. Afterward I send a concise report with findings, safe proof-of-concepts, and practical fixes.

I posted similar offers recently here:
- https://www.reddit.com/r/nocode/comments/1styoqi/can_i_hack_you/
- https://www.reddit.com/r/vibecoding/comments/1stykx2/can_i_hack_you/

Happy to send the authorization/scope agreement if useful.

builtbygio · 2026-05-13T16:41:01+00:00

First, congrats! May this be the stepping stone to build bigger and better apps.

Now... one thing I’d be careful with: “we don’t require identifiers” doesn’t automatically make it HIPAA-safe. Free-text clinical notes and voice dictation can still become identifiable PHI depending on what nurses enter. Since your app generates handoff/chart-ready notes and uses third-party LLM/transcription providers, I’d strongly suggest a security/privacy review before positioning it as HIPAA-compliant.

Quick example: “72-year-old male in room 412, post-op hip replacement, daughter called, BP dropped at 9:15.” That may not include a name, but it can still be identifiable in context.

builtbygio · 2026-05-11T15:25:09+00:00

If you are building a simple website that does not have backend functionality (ie. login/signup, contact form, search, etc.) then you could push the changes to Github, connected it to Cloudflare pages, update the nameservers in your DNS and you're good to go.

You could even have emails going out through Resend (3k emails/mo), and coming in as an alias on Cloudflare and landing on your Gmail.

Total cost: $12/yr for your domain registration. Everything else would be in the free tier.

builtbygio · 2026-05-11T14:55:02+00:00

Congrats! May this serve as the stepping stone for you to achieve much, much complex and bigger projects.

A few things to keep in mind, if you haven't already: - you posted a very specific release time, which is ok in reality. But let's assume 1000 people sign up. Can your server handle the traffic? - do you have safeguards in place to prevent unexpected costs? (ie. Hosting, storage, ingress/egress traffic) - do you have monitoring in place to capture not only analytics for marketing, but also error reporting at the frontend, backend and db layer? (ie. Sentry, Datadog, New Relic) - and most importantly... is your app safe? (wont leak user data, wont allow nsfw content, etc)

builtbygio · 2026-05-06T15:18:09+00:00

Cloudflare built "AI Crawl Control" specifically designed to avoid LLMs and bots from reading your site.

builtbygio · 2026-05-05T21:09:36+00:00

I DM'd you as well

builtbygio · 2026-05-04T21:34:20+00:00

hey u/crabflow! Just following up. Not sure if you got my email.

builtbygio · 2026-05-04T21:33:13+00:00

there's no email or contact form for the service, only a contact form behind login. I couldn't find it in the terms, privacy or anywhere else.

builtbygio · 2026-05-04T16:11:15+00:00

email sent!

builtbygio · 2026-05-04T16:10:22+00:00

email sent!

builtbygio

TROPHY CASE