You can use a product and still be critical, especially when layoffs happen, truth is there are a lot of things we don't know about their finances – tailwind definitely is successful by any metrics, they have corporate sponsors that alone give them a healthy MRR (I count at least $100k/month from the sponsors page alone)
I sympathise that it sucks having to fire people, been there. But it sucks more to get fired.
I think a problem is that tailwind has no moat compared to most of those. If it never received any further updates today it would still be effectively feature-complete, save for the occasional new css features.
I don't disagree, but I think differentiating between Tailwind CSS (which is free) and Tailwind UI. Tailwind UI (Tailwind Plus) is a different story I think. It's extremely useful in its current form, but could benefit from more
Yeah, I was referring more to the fact that tailwind didn't have that many other ways to monetise compared to other OSS projects. Their paid templates and courses kinda fulfilled their goal in that way, they made the founders wealthy, but is there a sustainable business there?
Apparently they were 8+ people, in 2024 team size was 6 and were hiring 2 more [0] and in 2020 they had $2m+ ARR [1].
Honestly, while I feel bad for the people who lost their jobs the news aren't exactly surprising. Overhiring is a game for VC funded OSS like bun, not usually a good idea for bootstrapped companies.
You've got an extra "R" in there. In 2020 their only revenue from was non-recurring lifetime software purchases. Like SaaS if you had a 100% churn rate.
Very good point, and I imagine part of the issue here... everything they sell is one-time payment, more of a reason they should have been preparing for the music to stop
I believe you, I'm just going out of the figures they have published. If they had "several times more" annual revenue, then not having a warchest for situations like this is puzzling.
They use a lot of open source libraries, yes, but I think it's about how much of the end product depends on the OSS tool/library. Studios using unreal engine probably don't use that much critical OSS directly – their licensed software probably does. And the software vendors / big studios do donate to tools they depend on, for instance Epic Games donated $1.2m to Blender
AAA usually goes with AAA-tools and frameworks. So Unity, Unreal Engine or even their own engine. OSS might be used, but for smaller parts or as tools for producing their stuff (like browser, editor, etc.). So while they sometimes donate, there is not much reason to give a big sum to a single project. They might be even donating more overall, but separated on multiple different projects.
very nice, it'd be good to see a feature comparison as when I use mupdf it's not really just about speed, but about the level of support of all kinds of obscure pdf features, and good level of accuracy of the built-in algorithms for things like handling two-column pages, identifying paragraphs, etc.
the licensing is a huge blocker for using mupdf in non-OSS tools, so it's very nice to see this is MIT
It seems that he didn't even test it before submitting though…
The author has created 30 new projects on github, in half a dozen different programming language, over the past month alone, and he also happen to have an LLM-generated blog. I think it's fair to say it's not “legitimately useful” except as a way for the author to fill his resume as he's looking for a job.
Exactly this, I like to give the benefit of the doubt to people but pushing huge chunks of code this quickly shows the whole thing is vibe coded
I actually don’t mind LLM generated code when it’s been manually reviewed, but this and a quick look through other submissions makes me realise the author is simply trying to pad their resume with OSS projects. Respect the hustle, but it shows a lack of respect for other’s time to then submit it to show HN
For a reflected XSS? Tell me who is paying that much for such a relatively common bug...
To elaborate, to exploit this you have to convince your target to open a specially crafted link which would look very suspect. The most realistic way to exploit would be to send a shortened link and hope they click on it, that they are logged into discord.com when they do (most people use the app), that there are no other security measures (httponly cookies) etc
No real way to use this to compromise a large amount of users without more complex means
It isn't about the commonality of the bug, but the level of access it gets you on the type or massive scale of the target. This bug you your blog? Who cares. This bug on Discord or AWS? Much more attractive and lucrative.
Yes, but this is not a particularly high access level bug.
Depending on the target, it's possible that the most damage you could do with this bug is a phishing attack where the user is presented a fake sign-in form (on a sketchy url)
I think $4k is a fair amount, I've done hackerone bounties too and we got less than that years ago for a twitter reflected xss
Why would that be the maximum damage ? This XSS is particularly dangerous because you are running your script on the same domain where the user is logged-in so you can pretty much do anything you want under his session.
In addition this is widespread. It's golden for any attacker.
Because modern cookie directives and browser configs neuter a lot of the worst XSS outcomes/easiest exploit paths. I would expect all the big sites to be setting them, though I guess you never know.
I would not be that confident as you can see: on their first example, they show Discord and the XSS code is directly executed on Discord.com under the logged-in account (some people actually use web version of Discord to chat, or sign-in on the website for whatever reason).
If you have a high-value target, it is a great opportunity to use such exploits, even for single shots (it would likely not be detected anyway since it's a drop in the ocean of requests).
Spreading it on the whole internet is not a good strategy, but for 4000 USD, being able to target few users is a great value.
Besides XSS, phishing has its own opportunity.
Example: Coinbase is affected too though on the docs subdomain and there are 2-step, so you cannot do transactions directly but if you just replace the content with a "Sign-in to Coinbase / Follow this documentation procedure / Download update", this can get very very profitable.
Someone would pay 4000 USD to receive 500'000 USD back in stolen bitcoins).
Still, purely with executing things under the user sessions there are interesting things to do.
> some people actually use web version of Discord to chat, or sign-in on the website for whatever reason
Beside this security blunder on Discord’s part, I can see only upsides to using a browser version rather than an Electron desktop app. Especially given how prone Discord are to data mining their users, it seems foolish to let them out of the web sandbox and into your system
Again, here you have not so much sold a vulnerability as you have planned a heist. I agree, preemptively: you can get a lot of money from a well-executed heist!
There is a market outside Zerodium, it's Telegram. Finding a buyer takes time and trust, but it has definitively higher value than 4k USD because of its real-world impact, no matter if it is technically lower on the CVSS scores.
What happens in all these discussions is that we stealthily transition from "selling a vulnerability" to "planning a heist", and you can tell yourself any kind of story about planning a heist.
Also the XSS exploit would have been dead in the water for any sites using CSP headers. Coinbase certainly uses CSP. With this in place an XSS vuln can't inject arbitrary JS.
When someone shifts from engaging with the actual results to attacking the person, it usually tells you more about their internal state than about the work itself. I'm glad I have a new fan though.
I really don't mean to attack you, I hope you will take these messages to heart and at least consider talking to a mental health professional. The writings in your substack are not a good look, regardless of whether your work is correct or not.
That’s not correct, the accent is simply there to know how to pronounce the word, and while in some specific cases (diacritic accent) it is there to avoid confusion in words that are pronounced the same with different meaning, the presence or lack of accent does not as a rule change the meaning of a word.
In this case, catala and català mean the same thing, one is simply misspelled as all words with the strong syllable being last will always have an accent mark if they end in a vowel.
Your first paragraph insists that "the presence or lack of accent does not as a rule change the meaning of a word." While your second insists that "[the same word without an accent] is simply misspelled as all words with the strong syllable being last will always have an accent mark if they end in a vowel."
But your accent rule also isn't followed by the language you claim uses it as a hard and fast rule: in the case of the single syllable Catalan word ma (my, femenine) and mà (hand). Please square that with your declaration that " all words with the strong syllable being last will always have an accent mark if they end in a vowel." Seemingly ma is breaking your rules, as well as your assertion that missing the accent is only a spelling error. In this, and many other cases, the accent completely changes the meaning of the word which also contradicts your assertion I highlighted in paragraph 1. Maybe "as a rule" isn't the correct phrase given the multitude of words that can change meaning with an accent mark.
The broader thing you missed is that Catala is the last name of a person working on the project, and is not missing an accent. That is how the person's name is spelled. Even in Catalan. Català is a Catalan word refering to a different thing. In this case the accent is incredibly important since it helps us differentiate between a man's name and a language.
In both the figurative and spelling sense we must therefore conclude that, in reality:
You clearly don’t even speak the language and are just fishing for an argument. I have already explained why your comment is incorrect, have nothing else to say to you on that subject if you insist that the accent mark will completely change the meaning without understanding that the accent in català follows the normal ortographical rules while the accent in mà is diacritic, a special rule that only applies to often monosyllabic words.
mà / ma does not break the general rule because the word does have an accent mark, it just also falls under the diacritic special rule.
On your point about the author’s last name, it’s fair, but also you’re ignoring that the last name comes from the same word and is thus a spelling variation from French/Occitan, further proving your assertion of Catala != Català as wrong.
> You clearly don’t even speak the language and are just fishing for an argument.
Please refrain from making negative assumptions about my language skills and motives. I am not a native speaker of the language, but I do read and understand it fine. This is not the place for passive or backhanded personal attacks.
> I have already explained why your comment is incorrect, have nothing else to say to you on that subject...
Since you made it personal, and then went on to say quite a bit on that subject I will provide my comments:
Thank you for acknowledging the validity of my points. I hear your argument, but it doesn't invalidate mine. Either an accent mark has no bearing on the meaning of a word or it does. I have demonstrated that it is absolutely and undeniably the case that an accent mark can change the meaning of a word in Catalan.
My original assertion is, verbatim: "...the accent can completely change the meaning of a word". You aren't arguing that ma and mà are the same word, despite your assertion that "the presence or lack of accent does not as a rule change the meaning of a word".
I don't address formal grammatical rules, and I am not arguing against your interpretation, it is correct AFAICT. I understand that there are rules for placing accent marks, which is why I asked you to explain the full rule when I was able to easily contradict the grammar rule. That doesn't contradict my argument.
The argument is simply that the placement of an accent changes the meaning of some words in Catalan. There was a side argument that if the last syllable is stressed it must have an accent on the vowel, which you asserted was true "as a rule". That was not true, as evidenced by you having to explain when it doesn't work "as a rule". It can be the case that accent marks have rules for when they are written, and also be the case that different words can have the same letters and differ only in the accent. Both of our arguments are correct.
In this exact case that is what is happening. Catala is a niche programming language named after a french man. Català is a language. The presence of the accent is distinguishing meanings between Catala and Català. I can write the following: "Parlo català, però no se res sobre el llenguage Catala", and the presence or absence of accents will mean the difference between that sentence being gibberish and that sentence meaning something. Likewise, Ma, si, dona, que, etc. can all have an accent added to them to give them a completely different meaning in Catalan. It is unequivocally true, and I don't know why you would assert otherwise.
I sympathise that it sucks having to fire people, been there. But it sucks more to get fired.
reply