o pior cenário não é ter vulnerabilidade. é nunca ter olhado.
A developer building a SaaS in public discovers 15 security vulnerabilities in his project after running a Snyk scan, including two critical CVSS 9.1 issues in Rails' HexSession. He reflects on the common developer habit of ignoring Dependabot PRs and the danger of assuming security tools alone mean the project is safe.
Summary
The creator is documenting the build of a public SaaS project called 'Find My SaaS' and shares a alarming discovery: after running a Snyk security scanner on the project for the first time, he found 15 open vulnerabilities, all with a priority score of 741. Two of these were rated CVSS 9.1 — a score he describes as so severe that large companies would call emergency meetings and cancel developer vacations over it.
He explains that while the 15 vulnerabilities initially seemed catastrophic, deeper analysis revealed that many were cascading from a single root vulnerability in HexSession, a core Rails component responsible for managing login sessions. Because many gems depend on HexSession, Snyk flagged each dependency separately, inflating the apparent count. In reality, he identifies two genuinely critical issues.
The critical vulnerability is classified as 'fail not securely' — meaning that when the system cannot verify a user's identity, instead of defaulting to rejection (failing closed), it grants access (failing open). He illustrates this with an analogy of a building turnstile that opens instead of locking during a power outage, and compares it to gym systems that let everyone in — including those with unpaid memberships — when their software goes down.
He also addresses his 12 open Dependabot pull requests, some waiting for over a month, and confesses he had been treating them as noise. He explains that Dependabot doesn't prioritize PRs by severity, so a critical security fix looks identical to a routine developer dependency bump, leading developers to mentally lump them all together and ignore them — much like a malfunctioning alarm system that eventually gets ignored.
The creator frames the video as part of his honest 'build in public' series, acknowledging that transparency means showing failures alongside successes. He encourages viewers — especially beginners and vibe coders — to spend 15 minutes scanning their own projects, and promises to fix all 15 vulnerabilities, starting with the two most critical ones, with a detailed uncut debugging video linked in the description.
Key Insights
- The creator discovered that what appeared to be 15 distinct vulnerabilities was largely one root issue in HexSession being multiplied across every gem that depends on it — reducing the truly serious issues to just two CVSS 9.1 findings.
- The creator argues that having Dependabot configured gave him a false sense of security — he believed the project was being monitored, but he had 12 open PRs ignored for weeks, some for over a month, meaning the tool created an illusion of safety without delivering it.
- He explains that Dependabot does not prioritize PRs by severity, so a gem bump fixing a CVSS 9.1 vulnerability appears visually identical to a routine Selenium WebDriver update, causing developers to process all alerts as noise and ignore them.
- The creator describes the HexSession vulnerability as a 'fail not securely' flaw — in certain scenarios the system, when unable to verify a user's identity, defaults to granting access rather than rejecting the session, effectively opening the turnstile when the power goes out.
- He admits that despite knowing about dependency audits and discussing them publicly, he himself had never run one on his own project — acknowledging that even developers who understand the concept routinely skip it in practice.
Topics
Full transcript available for MurmurCast members
Sign Up to Access