Being one of the biggest names in the space, Marc Lou is always one of the most discussed indie hackers on the X timeline. He’s frequently praised… and frequently criticized.
Now he's at the center of an explosive controversy that has drawn the entire indie hacking community into a debate over product quality, security practices, and the ethics of public bug reporting.
And it all began with a tweet from a fellow indie hacker.
Simon finds a bug
On October 18th, an indie hacker that goes by Simon quote-tweeted a post praising ShipFast’s affiliate program:
The tweet went super viral, pulling in four million views, and it was a precursor for the debates to come. There were people defending the merits of boilerplates and those who took the opposite position.
But Simon wasn't done. Later that day, he posted about an error with ShipFast’s server side validation:
With 11 million views, this tweet went even more viral then the first. As you’d expect, the discussion was much more lively than before, with many indie hackers feeling like Simon violated the unwritten rules around bug reporting.
Here’s John Rush with an accurate representation of the prevailing sentiment:
can you ship something instead of trying to bring down other makers who are trying their best?
I can't understand why it became so cool to do this.
if you found this hole, send it to Marc in DMs. Let him fix it. Imagine someone does this to you one day.
— John Rush (@johnrushx) October 18, 2024
However, Simon didn’t feel he'd done anything wrong.
And he wasn't alone in that belief:
I shared this tweet so others learn about issues like this. I'd privately tell Marc about any big problems, but sharing some thoughts openly can help everyone improve. It is not about bringing him down
— Simon (@soeckly) October 18, 2024
Marc, meanwhile, seemed completely unamused:
Little did he know that Simon was just getting started.
And another one, and another one…
On October 19th, Simon tweeted that he'd found a new Marc Lou-related bug.
This time it was a serious security vulnerability with IndiePage, and because of its seriousness, he sent him a DM instead of posting it publicly.
Later that day, he put ShipFast on serious blast:
He then criticized Marc’s use of SVGs instead of an icon library and how he was able to get ShipFast for free.
This seemed to spur a community security audit, as other people also began to find serious security vulnerabilities:
If you are an indie hacker, you could be living under a rock to ignore this @shipfa_st security issues.
Marc's product has some serious problems.
1. It's super easy to get passed the paywalled content. spent less than 5 minutes and I was in.
2. Shipfast is exposing user's… pic.twitter.com/YX4AApsBaj— Samar Kundal (@thesamarkundal) October 22, 2024
According to Simon, the reason for his crusade was simple: ShipFast is $200 and is used by a lot of people, so it deserves the highest level of security. So, if Marc isn’t going to respond privately, he has no choice but to post publicly.
Justified or not, this got Marc’s attention, and not in a good way:
I was a virgin, an hour ago.
I've never blocked anyone after 3 years on Twitter.
But my feed in the past 30 days is made of developers who think the world can be fixed with more tests.
Dozens of people try to screw my sites every day. And they claim a CRITICAL VULNERABILITY…
— Marc Lou (@marc_louvion) October 21, 2024
Unfortunately for Marc, it also got the attention of the rest of indie hacker X.
The boilerplate debate
After Simon’s numerous finds, many of the people who'd previously supported Marc Lou began to turn against him, with the consensus being that his response had been too dismissive considering the seriousness of the issues:
I've just been observing from the outside, but it does seem like people are surfacing legit vulnerabilities (like... getting free access to the thing?) and you're just writing them off as yappers.
— Aaron Francis (@aarondfrancis) October 21, 2024
This then became a debate over what a boilerplate should be:
Thoughts on the whole Shipfast debate
Shipping fast means you skip certain things and do some other things just right.
If you want to do things perfect (in this case, super secure), it will cost you in your shipping speed.
You can’t have both. You know what you get when you…
— Nick Groeneveld (@ToolboxOfDesign) October 22, 2024
And how a boilerplate should be marketed:
Many who hated Marc might hate me, but the real issue isn't the code - it's the marketing.
Marc should just clarify it's a boilerplate, basically an MVP of an MVP. No developer claims bug-free code, so why expect that from a boilerplate?
Really, can you get a complete SaaS for…
— Damon Chen (@damengchen) October 21, 2024
Even Pieter Levels chimed in:
I ship things fast
But I also follow security best practices: like I use PHP's SQL PDO library to avoid SQL injection
And I also pay someone to do regular security audits of my code
Which I can highly recommend to everyone, it doesn't have to be expensive either but helps https://t.co/GdpEjUQxUP
— @levelsio (@levelsio) October 22, 2024
What does this mean for the future of indie hacking?
With this tweet, Marc put an end to this saga:
"Ethical hacking for the good of the community"
BS.
- My server logs are on fire
- Hundreds of bots crawl my API endpoints all-day
- They abuse my support, pretending to be customersSo
- I fixed the ShipFast paywall (you can't get it for free, sorry)
- I hired someone to… pic.twitter.com/iT0XEHl7NO— Marc Lou (@marc_louvion) October 22, 2024
But the debates spurred on by the drama are sure to stay:
What should be expected from a boilerplate?
What is the correct way to report a bug?
And, as Dagobert puts it, is the indie hacking community becoming toxic?
The indie making community is becoming toxic like crypto and drop-shipping. So it's time to stop being nice all the time and start calling each other's bullsh*t 👊 We will all grow stronger from it 💪 (feel free to call me out when i do something shady) https://t.co/WXUIS5Xjbp
— Dagobert Renouf (@dagorenouf) October 21, 2024
It’ll be interesting to see how these questions are answered in the coming months and years.