🔴 orchids.app Vulnerability Disclosure
Critical Payment Bypass Research
Timeline:
Sept 2025 - Nov 2025
Impact:
Saved Y Combinator-backed startup $1M+ in potential losses
Vulnerabilities Found:
├── 2 Critical payment bypass vulnerabilities
├── Authentication bypass in payment flow
└── API endpoint security weaknesses
Disclosure Process:
├── Sept 2025: Discovered vulnerabilities during security research
├── Initial disclosure: Contacted orchids.app security team directly
├── Escalation: Reached out to Y Combinator security team after non-response
├── Reported to CC/CERT for coordinated disclosure
└── Nov 2025: Vulnerabilities patched and resolved
Technical Details:
├── Web Security Analysis
├── Payment Systems Architecture Review
├── API Security Testing
├── Authentication Flow Analysis
└── Responsible Disclosure Protocol
Key Learnings:
├── Importance of persistent responsible disclosure
├── Multi-channel escalation strategies
├── Working with accelerator security teams (YC)
├── CERT/CC coordinated disclosure process
└── Impact assessment for startup security
Technologies Involved:
Web Security, Payment Systems Analysis, API Security, Authentication Protocols
"This research demonstrates that doing the right thing matters more than
recognition. Despite initial non-response, persistence through proper channels
(YC security team and CERT/CC) led to protecting users and preventing
significant financial losses for a promising startup."