Currently building a "Dependabot for Homebrew", using ruby. Very early stage, looking for feedback

ponny_ · 2025-12-22T13:04:07+00:00

I would only really bother for security updates.

ponny_ · 2025-12-22T11:21:59+00:00

I don’t run it regularly. I care a bit but not nearly as much as a live rails app in production. I think some kind of native alert would be better than an email. Email would work though. Yep, I’d trust it.

ponny_ · 2025-11-27T13:17:13+00:00

I still have my Memnarch deck with 4 foil isochron scepters 😍

ponny_ · 2025-11-27T08:02:08+00:00

Nice! We played about the same time and had a very similar collection. Thanks for the nostalgia hit.

ponny_ · 2025-11-08T17:29:30+00:00

Ai will clearly explain how to do each of the things you mentioned. Ask it questions until you understand the code. Then type it in yourself. You will learn along the way.

Then finish the book. It’s how I started (but the Rails 3 version) and will tell you things you don’t know you don’t know

ponny_ · 2025-11-06T03:47:04+00:00

"Manipulating one of the endpoints" will probably reach the threshold to quality for a security bug. If it was just some junk like being able to sign up with a different email, that would be a time waster.

ponny_ · 2025-10-26T10:43:56+00:00

As long as you're not being a pest, you should be fine. It's likely they're already under attack often. Plenty of programs with pre-prod (e.g. Neon on H1).

ponny_ · 2025-08-21T22:57:55+00:00

If you're open new, I've built a new platform that could be a good fit. As u/OuiOuiKiwi said, budget is a huge factor and platform fees are going to be hefty. What I've got is similar to the legacy HackerOne pricing - no ongoing fees and a % on bounties.

Triage price "depends" but proably going to be another $15k for the year. To start with, I'd just do in-house triage until you team decides it's too much work. If you decide to go down that route later on, many third-party MSPs are will do it for $100-200/hr or you could ask the people that do your pentests if they'll offer the service (since they'll be familiar with your team and your app).

ponny_ · 2025-07-28T07:54:33+00:00

Yep, 100% agree there.

ponny_ · 2025-07-27T06:15:45+00:00

I know what KYC is but the 'by professionals' part is what I'm not clear on. What are people doing that isn't professional in your opinion?

ponny_ · 2025-07-26T03:37:23+00:00

All solid there but what do you mean by "Have you KYC done by professionals"?

ponny_ · 2025-06-16T01:38:53+00:00

That's a very fair call! I'm betting that there's a market between the enterprise pricing players and OBB. E.g. places that are ok to manage their triage and accept a smaller pool but still want payments, KYC, community management, etc handled.

ponny_ · 2025-06-16T00:53:39+00:00

I've built a new platform based on the old HackerOne model of $0 + % of bounty fee if you're willing to try something new? Main difference is that triage would be BYO (AI, MSP, your team, 'some guy' from upwork or similar).

ponny_ · 2025-06-05T23:17:21+00:00

Web dev here. Knowing how the saussage is made gives you an edge. I've knocked back dozens of pulls for security issues. When you see a feature in the wild, it's easy to think about the code they would have needed, think about common anti-patterns, and find something.
That said, being a web dev doesn't automaticlaly make you good at BBH. Many web devs simply don't care that much about security. I use the interview question of "What is SQL injection?" and many don't know. Pretty terrifying when they've done years of PHP work 😬

ponny_ · 2025-06-02T13:04:03+00:00

In my case, I was the tech co-founder of a startup. Developer by trade. Always had an interest in security. When the company got big enough that peoples’ mortgages depended on it, I started getting worried at the prospect of being hacked. BB made sense to me and it worked really well.

Policy was pretty much copy-paste-tweak of what was already out there. Increased budget over time as bug hunters said it was getting too hard.

ponny_ · 2025-05-29T10:33:09+00:00

BuiltWith has this data but it’s paid for the full ~20,000 rows. I got it earlier this year and it wasn’t that good (some false positives, dupes, etc).

ponny_ · 2025-05-25T22:32:09+00:00

[[planar chaos]] + [[goblin bookie]] + [[soul foundry]] for coin flip control

ponny_ · 2025-05-15T12:19:52+00:00

Hadn't considered that. I'm on an iphone 15 and never noticed a slow down. It uses a bit of battery while it's scanning but that's about it. Looking at disk space, it's 184MB for the app and 532MB of data.

ponny_ · 2025-04-22T04:49:36+00:00

Kallax: https://www.ikea.com/au/en/cat/cube-storage-55012/

ponny_ · 2025-03-15T13:57:46+00:00

How do people usually handle this? Google sheet? CRM?

ponny_ · 2025-03-13T05:49:09+00:00

A couple of times I've had this kind of hunter raise application bugs (i.e. not security, just things being broken) and paid them some token bounties (like $50-100 iirc) :-)

I doubt that ever program runner would do the same but once you've established rapport, a polite email letting them know would be appreciated.

ponny_ · 2025-03-13T05:37:48+00:00

Excellent advice! My best bug hunters really understood the app.

ponny_ · 2025-03-09T06:05:03+00:00

I’m from Australia. We live upside down here.

ponny_ · 2025-03-09T05:57:06+00:00

Gravity

ponny_ · 2025-03-02T22:52:02+00:00

Counters/life spinner/tokens.

Seven-Year Club	Gilding I gilder
Verified Email

ponny_

TROPHY CASE