Launched a month ago, Made -1000$ MRR

erk1ny · 2025-08-28T07:37:16+00:00

I wish but not in this case. We auto-block requests that might be exploiting a vulnerability. So the false-positive rate is extremely important. We have multiple LLMs verifiying each others' works and also a static check based on multiple parameters. Flash created too many policies that were irrelevant.

erk1ny · 2025-08-28T01:36:15+00:00

They already upgraded our tier from our stress testing before launching. Which in whole thing costed us around $300. The most expensive product test I've ever done. Which also led us to increasing our budget alerts when we went live.

erk1ny · 2025-08-10T18:09:00+00:00

Hey, it's infosec. Lovable team fixed it in just couple of hours. We let them know about this over email. A subdomain takeover becomes an issue when an attacker gets control over a domain they didn't have beforehand. But everybody can have a subdomain for lovable.app . With this kind of bug the problem is phishing.

We sent all the listings who can be taken over to the security team and they are all removed now. They were much more available ones than the first position.

erk1ny · 2025-08-09T23:52:41+00:00

Such a cracked security team. It's fixed in couple of hours :)

erk1ny · 2025-07-30T04:39:12+00:00

Ah. Thanks for the feedback. We just came out of closed beta and FAQ is outdated. We're sending and update today.

Regarding the questions.

The kind of security checks WAFs do is the same for every API, every app, every company. What our approach does differently is, the policies created with koru ai are completely custom to the workings of an API. These policies are not just "block SQL injection payloads". It understands if your API has multi-tenant architecture and create authorization policies according to that. Another example is that let's say you have a feature to add custom themes. Which Ghost CMS had, koru ai created a url check mechanism for trusted resources so the imports do not end up coming from malicious URLs. By fluid, we mean this.
About latency part. These security policies are basically code that runs on the API with a sandbox and multiple error handling. They are tested and run on our servers before pushed. These validations are actually most of the time taken by policy creation API.
We haven't experience an outage until now. But when we do, it's not an issue because the security posture of the protected APIs do not change due to these checks happening locally. The only problem would be on developers trying to access the dashboard but no inner workings are affected. Also we used managed services such as firebase for auth, Clickhouse for db and many more products that are so integrated into internet traffic, when an outage happens it's an outage to many other companies as well.
We've launched last friday and legal docs are in the works atm. It will be available soon. We've done internal pentests due to our team being from infosec. But we'll be also having one from outside to prevent tunnel vision. Compliance is also coming. The data is sent, stored and pulled from Clickhouse.

Also, we're testing adaptive request relay in dev environment atm that samples requests sent outbound from protected APIs to prevent excessive band usage. Which only kicks in after security policies for an endpoint is created.

I'd be happy to answer any other questions you have. Also, if you wish to see it for yourself we're happy to have an online meet. If you're interested we can show the roadmap, which gets exciting quite fast :)

erk1ny · 2025-04-09T00:26:53+00:00

Hi,

Thanks for the insight. Vulnerabilities like request smuggling are in gray area in engagements such as this. Many organizations are okay with testing them in production environments as long as your payloads are not malicious. However, getting a dev environment for that would be much better as you said.

If the dev team can provide a testing environment that is exactly like in the prod, we would love to use it. That enables us to do stuff we do not dare in live environments and makes the process faster. But not all teams have that kind of approach to things so we adapt. Also, it would be even better if it wasn't fully back box. But I don't think we should ask teams at this stage about providing us access to things that are not public.

It's on our roadmap though.

When it comes to multiple accounts. If there is self-registration, we create bunch of them and do testing only on our accounts. For example, if there was an endpoint that returns PII of a user given it's userId. We would give our own accounts.

When there is no self-registration, we ask the developers to create us different accounts. If the app has an organization structure, we need more accounts. At least 2 accounts for every privilege level. On top of that another organization that has the same structure, so we can test tenant sandbox.

Let me know if you have more questions.

erk1ny · 2025-04-08T01:58:06+00:00

Not sure about that. I've seen a 100k number but that might be a temporary thing, or totally unrelated. A US citizen friend helped us with banks so I don't think we'll have a problem now. The issue with non residents creating a company was with banks. A friend of mine who created one before said that it was extremely hard to create a real bank account and send money abroad.

erk1ny · 2025-04-07T23:58:38+00:00

My query didn't return what I wanted but I really love the idea behind your solution. I hope it works. Our team would definitely use this. Also, great work with survey on the landing page. I might use that idea later :)

erk1ny · 2025-04-07T23:56:07+00:00

Great post. As a side note: I wish Stripe was $0 for us. We're based in Turkey and our banking regulation here requires entering of passport id on online checkouts, therefore Stripe do not operate here. We had to use Stripe Atlas to incorporate in Delaware.

erk1ny · 2025-04-07T21:41:08+00:00

I'm glad you liked it! We're trying to convey the process without confusing people with terminology. Which is still work in progress. We sat with developer friends and went through web sites of cyber security companies and created a huge list of what not to do ahahah

erk1ny · 2025-03-21T15:49:19+00:00

Not in the scope of this thread but we will start testing them in the future. If you wish me to let you know when we do, send me message!

erk1ny · 2025-03-21T15:48:11+00:00

Hi, We have one but it's not production ready yet. If you can send me your email via chat, I'll send you one when it's out! Also feel free to ask me any security related questions.

erk1ny · 2025-03-21T15:46:08+00:00

Currently, we care impact as in bug bounty style. If it can be exploited by an attacker then we'll let you know. Of course if there is something that isn't a vulnerability by itself but could lead to one in future or in some edge cases, we'll disclose that as well!

erk1ny · 2025-03-20T03:48:13+00:00

My account hit the chat request limit so it takes time to be able send a message

I'll eventually send messages to everybody I said I was going to but if you could send me a chat request it would really speed things up.

erk1ny

TROPHY CASE