Services & pricing · shippedwithbugs

1Send URL
2Scope call
3Quote + Stripe link
450% deposit
5One week of work
6Report delivered

Who

Who this is for

You shipped a SaaS in the last 18 months. You used an LLM to scaffold most of the code. You have paying users. You have not had a security review.

You're moving fast on purpose. You're not slowing down to read OWASP. You're also aware, on some level, that the same models that wrote your auth middleware wrote everyone else's, and that something in your codebase is probably broken in a way that will only surface when it surfaces badly.

If you have a security team, you don't need me. If you're pre-revenue, neither of us benefits — come back when you've shipped.

What's included

What you actually get

The full engagement, itemized:

Deliverable	What it is	Value
Security audit	Hand-driven testing across auth, data layer, integrations, and URL-handling surfaces. Not a scanner dump.	$5,000
Findings report	Per finding: severity, reproducible repro, impact, concrete fix. Engineers can ship the patch without calling me.	$1,500
Threat model	What an attacker can actually do against your specific architecture — not generic STRIDE boilerplate.	$1,500
Remediation Q&A	30 days of email support while your team fixes the findings. 24-hour reply window.	$1,000
Free re-test	One round of verification on the original scope after you patch.	$1,500
7-class checklist	The seven vulnerability classes I find most often in vibe-coded SaaS, with detection recipes. Yours forever.	$500
Optional co-authored writeup	If you'd like, we co-publish a sanitized post-fix writeup. Great for buyer trust.	$1,000
Standalone value		$12,000
Starting at		$1,500

Guarantee

If I don't find a High or Critical, you don't pay.

Concretely: I quote the engagement, you pay 50% upfront, I have one week. If at the end of the week I haven't surfaced at least one finding I'd score High or Critical under CVSS 3.1, I refund the deposit in full and you keep the clean-bill-of-health report as a due-diligence asset.

This is a real risk reversal. I take it because I've yet to run this audit on a vibe-coded product and not find at least one issue at that severity — but if your codebase is the first, the risk is on me, not on you.

Pricing

Three tiers

Fixed price, no hourly. Quoted per engagement.

Starter $1,500

Solo founders and very early teams. One web app, one main domain.

Up to 5 days of focused testing
Full deliverable stack
5-business-day turnaround once started

Standard $3,500

Seed-stage products with real integrations.

Web app + up to 3 connector flows (Notion, Slack, GitHub, Stripe, etc.)
Up to 10 days of testing
Full deliverable stack, plus extended threat model
10-business-day turnaround

Deep from $6,000

More surface — desktop or mobile clients, multiple OAuth flows, sensitive scopes. Clicky-class work.

Network capture + binary review where applicable
Privacy-practice review (PostHog/Mixpanel content leakage, third-party processor analysis)
Attack-chain narrative + remediation roadmap
Quoted per engagement after a free scoping call

Capacity: I take two audits per month. This is real — I'm solo and the work is hand-driven. Booking is first-come; if the current month is full, the next slot is whichever month opens next.

Process

How it works

Free 20-minute look. Send your URL and one sentence on what you do. I tell you whether I see something worth a closer look. Public surfaces only, no NDA needed at this stage.
Fixed-price quote. If we're a fit, I send a scope and a quote. Sign and pay 50% to book the slot.
One week of work. NDA in place, test account provisioned, you don't need to do anything while I work. No standups, no Slack interrupts, no calls.
Report delivered. Full deliverable stack lands in your inbox. Balance due on delivery.
Patch and re-test. Your team fixes; I verify within the included 30-day window.

Boundaries

What I don't do

Hourly billing. You buy outcomes, not my calendar.
Compliance theatre. I don't write SOC 2 boilerplate.
Mass scanning. Every audit is hand-driven.
Pentesting for enterprises with security teams. Hire a firm.

Questions

FAQ

How does the public-writeup policy work for paid clients?

Paid engagements follow coordinated disclosure. We agree the public-disclosure timeline together (90 days from the fix is the default, longer is fine). You choose whether the eventual writeup names you, anonymises you, or stays private indefinitely. The site shows existence of paid engagements only with your approval — see the ParakeetAI card for what an approved-but-embargoed listing looks like.

And for the public writeups I see on this site?

The writeups currently published (Clicky, Outrank) were not paid engagements. They were independent research on products I use, disclosed privately to the vendor first. When a vendor does not engage with a disclosure after good-faith attempts, the finding is published under the same responsible-disclosure timeline that Project Zero, Trail of Bits, and most security researchers operate under. If either vendor responds now, I'll happily add a "fixed in version X" note to the post.

What if you don't find anything?

You don't pay. The guarantee covers this. You also keep the clean-bill-of-health report, which has real value for due diligence, customer trust, and investor questions.

Why is this cheaper than US security firms?

A traditional pentest engagement starts at $10k–$25k and is scoped for a different buyer. I'm a solo researcher running a focused methodology against a narrow target class. Less overhead, less scope, less time — lower price. The work itself is not cheaper.

Payment?

Card via Stripe Payment Link, sent with the quote. 50% on accept, 50% on delivery. USDC, USDT, or wire on request — reply to the quote and I'll swap the link.

NDA?

Yours or mine. I sign yours unredacted; mine is a one-page mutual NDA on request.

Get started

Send me your URL.

One sentence on what your app does. I'll reply with whether I see something worth a closer look.

hello@shippedwithbugs.com