When Startups Ask for Free Security Work

A few weeks ago, I explored [redacted], a YC-backed AI backend platform. Like many security researchers, I tend to poke at new tools to see how they handle common attack vectors.

It didn’t take long to find issues, both in security and user experience.

## The Vulnerabilities

*Authorization Flaw*: [redacted] limits free users to 3 items, with a paywall for more. But their API doesn’t enforce this. Anyone can bypass the frontend and call the API directly.

This classic flaw means free users can generate unlimited content, paid tiers lose value, and the business model collapses.

*UX Problems*: The platform also has confusing navigation, inconsistent design, poor hierarchy, clunky workflows, and unclear onboarding. When the product experience feels this raw, security flaws are just another sign of neglect.

## The Response

I asked in their community channel about their disclosure process. The founder replied:

“hi [name], i just saw your message on the general channel. right now, we are not hiring, but people are helping improving the platform and this is a good test for the future, when we will hire people. if you want to contribute, feel free to report bugs or security issues to us. if security related, it's best on private dms rather than on general channel”

Translation: Please do free security work for us. Maybe we’ll hire you someday.

## Why I Didn’t Disclose

I withheld details because: - No bug bounty or acknowledgment system - Security research framed as "free testing" - Vague promise of future consideration, not present compensation - No disclosure policy or timeline - Overall lack of professionalism

Finding and responsibly reporting vulnerabilities takes skill. Expecting researchers to do it for free, especially from a funded startup, is unacceptable.

## The Broader Problem

This reflects a larger startup issue: wanting community help without paying for it. Companies routinely ask for unpaid QA, security audits, bug reports, and UX feedback while raising millions.

## What Good Companies Do

The best companies have: - Clear disclosure policies with defined timelines - Bug bounty programs (even small ones show respect) - Professional communication with researchers - Public acknowledgment for responsible disclosure

It doesn’t take much. Even a $10 gift card and a thank-you matter.

## Current Status

A month later, the vulnerability is still unfixed, and UX remains rough.

For users, this means inaccurate usage tracking, broken economics, possible deeper issues, and ongoing frustration. For the company, it reveals a culture where security, UX, and respect are afterthoughts.

## Lessons for Founders

*Security basics*: - Enforce all limits server-side. Never trust the frontend. - Publish a simple disclosure policy. - Respect researchers, we’re trying to help.

*Cultural basics*: - Don’t ask for free labor. - Treat feedback as valuable, not free QA. - Remember that first impressions last.

The security community wants to help, but not at the cost of undervaluing expertise.

Build secure products. Create intuitive experiences. Respect those who help you improve. Security debt compounds quickly, but UX debt kills adoption even faster.

---

Have you had similar experiences with AI startups expecting free security work? How do you handle companies that dismiss security?