[kanyethegreat]

Lol, has their SB creds. Someone could do a bunch of stuff with that

[kiwicopple]

These appear to be local credentials (supabase init, supabase start), but I'll reach out to the founders now to make sure everything is secure on their Production database/APIs. We are a GitHub secret scanning partner [0], so hopefully this was caught early.

---

For any other founders reading this, it's recommended to add a `SECURITY.md` to your repo before doing a ShowHN/LaunchHN. This can be exposed in your `.well-known` folder (eg: https://supabase.com/.well-known/security.txt). This will help with responsible disclosures.

[0] GitHub secret scanning: https://github.blog/changelog/2022-03-28-supabase-is-now-a-g...

[kanyethegreat]

> Do not reveal the problem to others until it has been resolved,

sorry, probably shouldn't have pointed that out. noted for future reference.

aside: big fan of Supabase, Paul! it's a pleasure using it!

[justintorre75]

This is exactly right, thanks a bunch for checking. Also, thanks for the note! We will add a SECURITY.md