REST APIs are deceptively simple on the surface but notoriously inconsistent in practice — different teams implement auth, pagination, and error handling completely differently. AI tools struggle because there's no single 'correct' REST — every API is its own dialect. GraphQL and gRPC have stricter contracts which makes them easier for AI to reason about. The irony is that this inconsistency is also why REST APIs have so many security vulnerabilities — no standard means no standard security either.
API security is the most common blind spot. Vibe coding tools generate endpoints fast but almost never think about broken authentication, excessive data exposure, or injection flaws. A solo dev can ship a beautiful frontend with completely exposed APIs behind it. At minimum — test your own endpoints like an attacker would before going live.
Congratulations! 5k users is a real milestone — especially for open source where you rarely hear from most of your users. The ones who take time to register are your most valuable early adopters. Would be curious what your biggest growth channel was — was it a single post that took off or slow organic growth over time?
I don't really do anything tbh, I made a few posts on Reddit, and mostly on HN. Totally organic, no upvote farming/bots, kept it 100% honest for my peace of mind.
Security skills are becoming more valuable not less. As AI writes more code, the attack surface grows faster than ever. Someone still needs to find and fix the vulnerabilities that AI introduces. Knowing how to think like an attacker — not just a builder — will always have value.
The AI fatigue is real. The problem is most AI products are just wrappers that add a chat interface to existing tools and call it AI. The ones that actually stick are the ones where AI is doing something that was genuinely impossible or impractical before — not just faster or cheaper. That bar is higher than most builders think.
Cold start is the hardest problem in any marketplace. What worked for us was focusing on one side first — get the supply side locked in before worrying about demand. Also doing things manually at the start that don't scale. Personal outreach to every single early user, not mass emails. The product can be rough but people forgive that if you give them personal attention early on.
Referrals from the first 2-3 clients were everything. But to get those first clients — LinkedIn outreach with a very specific message about their problem worked better than anything else. Generic 'I am available for work' messages got ignored completely.
how do you find out about the problems though? i haven't come across anything like that on linkedin. and if it is not there, then i wouldn't even know where else to look. their website? their blog? people/companies generally don't write about their problems. even in job descriptions here usually isn't anything about the problems they want to solve.
These groups typically exploit unpatched vulnerabilities and exposed credentials. Most companies don't discover they're vulnerable until after a breach. Regular security audits are the only real defense.
