It all starts with your and . Some CPU in an isolated and cold data center of HO would crack up and it will unravel a new world to you. organization putting up the program on HackerOne someone spreading the word People will try to brute force your login and sign up process. Have you been waiting to scale up your postgres server? You won’t be able to avoid it tonight. Number of failed and successful logins ( ) CC BY-NC 2.0 Good monitoring setup would shine in days like these. You to avoid the next sweep of . will try to suck the breath of your app whenever they find a 500 Internal server error. Your logger would set new records for the number of errors logged in a day and flood your slack channel integrated with the logger bot. Things will calm down once you start to fix them by . set up rate limit login attacks Similar scripts one one will haunt your dreams. You introduce in hopes that you would not see them again, but they never really go away( ). ArgumentError (string contains null byte) rack-utf8_sanitizer rails/rails#26891 Blessed be the day when you receive the report of which existed right under your nose. You would get to co-ordinate you used since you were still fumbling with your . You will feel smart, however it won’t last very long because now you find out that can be bypassed on your app. Rails 4 introduced option for and switched to using it in its templates when was still the default argument. Do you too dream of a day when a will be as easy as minor ones? XSS attack a fix in a gem lamdas and procs CSRF token validation with: :exception protect_from_forgery :null_session rail’s major update Being an open source community, it is possible that you will lose pace. Duplicate reports would start to pile up because hackerone reporters share bugs among themselves once the original report is filed. Are you a bad person to think that hackerone community has some growing up to do? Meanwhile, your password reset token has been leaking to . Which is a bit worse than it sounds because those on . You let the experts know because . Always check before you are . I hope you didn’t forget to reset all your user’s . third party websites through referer header tokens may not expire clearance some fixes would be more complicated than others caniuse dazzled by something new and shiny :confirmation_token While introspection, you will look back at and agree that the list is very real. Hopefully, you will ask yourself why aren’t more people participating in programs like this. Why are the cockroaches having a party as if you aren’t even home. OWASP top 10 cheat sheet by ( ) bugville lady-traveler CC BY-NC 2.0 It is a reasonable assumption to make that works securely while delivering all the ingredients you need for your next award winning soup. your grocery shop It would almost break your heart when you turn away reporters with a mere thank you note because you don’t pay bounty for rubygems.org. You don’t have the money for it. Reporters would beg you to reconsider and all you would say is Only issues within the rubygems client library are eligible for a bounty. Did you know that you and your company could ? help