zlacker

[parent] [thread] 1 comments
1. alexha+(OP)[view] [source] 2026-01-18 07:48:08
A quick reaction is that there's almost 2 different intents that need to be considered here:

- We want to build a business opportunity around auditing.

- We want to reduce the amount of insecure Sugabase apps.

They align somewhat but decisions may vary based on your lens when deciding how much weight to put for watch.

- IANAL, I assume you can or have assesed legal considerations around passive/active/automated scanning of this nature.

- In a direct world you could communitate the fix automatically to the right target for all your finds and track whether they fix the issue (audit periodically at a non spammy/cost inducing frequency)?

- In the general sense I'd try to estimate where I think the error manifests itself to attempt different solutions and find ways to measure those, where am I fixing the problem?

  - LLM generated code: benchmark and evals to measure which popular programmatic LLMs recommend the right approach.

  - Community recommendations: Make your case within the community to modify the appropriate tutorials.
- Is there something in the core tools (I don't really know Supabase) that would make it less likely for a developer following an outdated or malicious tutorial to do the insecure thing?

Security is always a fun problem to think about once you start thinking about it from an economics lens of rational actors with limited knowledge and varying incentives.

replies(1): >>xyborg+7p
2. xyborg+7p[view] [source] 2026-01-18 12:21:24
>>alexha+(OP)
Yes, both statements are true, I am building a business around this, but I do also want to reduce the amount of insecure Supabase applications, and that's why I open sourced, and it's also free, my Chrome Extension. Because that's a quick check, any non-technical person can do.

I am currently in communication with many of the sources I used to harvest those sites, so they can warn them, and I also offered a quick API integration that can plugged in during their submission process, so they can warn users right before they launch their apps on those directories. Another option is to get their contact information, but there is no way I can get into their inboxes without being labeled as SPAM :/

Also, another thing I offer for free on my site, is the possibility of running an automated audit on your project, you just connect to Supabase using oAuth. And get a report of what's missing, from there you can either click the "fix in Cursor" or copy results button, and ask your favourite LLM to fix it, or buy my advanced report with the fixes for 5 bucks. But I do offer a free options though.

About this: "- LLM generated code: benchmark and evals to measure which popular programmatic LLMs recommend the right approach.", check this out https://cset.georgetown.edu/wp-content/uploads/CSET-Cybersec...

And, when it comes to community recommendations, I am doing my best, reaching out to dev influencers, posting regularly on /r/Supabase/ (not spamming, providing real value).

Last but not least, Supabase did added a LOT of new features in their dashboard to warn and prevent users from shipping tools unprotected, but the issue is many of these apps were created using CLI, GUI, or Web tools where the user almost never go to Supabase's dashboard, so they never see those warnings :(

[go to top]