DEV Community

Cover image for RamenHire: Outreach, a Real Answer, and What I Still Don't Know
Lior Karaev
Lior Karaev

Posted on

RamenHire: Outreach, a Real Answer, and What I Still Don't Know

Two things happened this week that matter more than anything I built: I asked 13 real companies for permission, and a stranger's public feedback closed out a security thread that started three comments ago.

The security thread closes out

A reader (credited in the comments of my last post) found three real issues in RamenHire's Supabase setup over the course of a few days — an overly broad delete permission, a question about whether upload URLs were properly tied to real submissions, and, in the most recent round, a second broad delete grant I hadn't caught either. Each one got fixed and verified against the actual production environment, not just tested locally and assumed to carry over.

The full audit — including a proper security-audit-with-severity-ratings pass, an HTML-injection fix in outbound emails, and one deliberately deferred item I'm tracking rather than rushing — is public in the repo now. Prompted entirely by someone reading closely and asking good questions in a comment section. That's a better security process than I would have run on my own, for free, because I wrote honestly about what broke.

Outreach: 13 emails, 1 real response

This week's actual work: reaching out to all 13 companies whose open roles I'd curated onto RamenHire before they knew the site existed. Permission-first, not "you're already listed, come claim it" — I've written before about why I killed that model.

The honest tally so far: one response. Featurebase's founder (genuinely lovely exchange, handled by their own AI support tool, no less) asked me to take their listing down since they manage hiring through their own Notion board — and thanked me for asking first instead of just listing them. That's a real, if small, validation of the honest approach: even a "no" landed well, because it was actually their choice.

Twelve are still silent, which is the expected outcome of cold outreach in week one, not a bad sign yet.

What's coming next

Company self-service is next on the build list — specifically, a way for a company to edit or remove their own listing without emailing me directly, using the same verified-email pattern already built for registration. Directly prompted by the Featurebase exchange: watching a real company ask "please take this down" made it obvious this needs to be self-serve, not something that routes through my inbox every time.

What I actually don't know yet

Two honest, open questions, and I'd genuinely like real answers rather than assumptions:

For anyone who's looked at ramenhire.com cold — does the homepage explain what this is and why "verified bootstrapped" matters, fast enough? Or does it need to work harder before someone decides whether to keep reading?

For founders specifically — before you'd register a company profile, what would you want to see first? Proof of real traffic, other companies already listed, something else entirely? I don't have enough registered companies yet to learn this from usage, so I'm asking directly instead.

Happy to hear blunt answers on either.

Top comments (5)

Collapse
 
vollos profile image
Pon

Took the cold look you asked for. Headline plus the manually-reviewed line answered what and why fast, no complaints there. Where I stalled was the post-a-job button, it shows Free and $99 in the same breath, and I had to find the early-access line before I knew which one you meant.

Collapse
 
l_build profile image
Lior Karaev

Fixed and live. The hero button and the post-job submit button both just say "Free" now, unambiguous — the $99-later context is nearby as supporting text instead of stacked on the button itself. There's a pop-up modal elsewhere on the site that already had this right, so I matched its button style instead of inventing new copy.

While checking the page directly instead of just trusting the fix, I also found an unrelated regression on the same page — missing Open Graph/Twitter metadata that had silently broken on 6 pages sitewide (a Next.js quirk where a page's own metadata object fully overrides the layout's instead of merging with it). Fixed that too, plus built a shared helper so it can't silently break again per-page. Not what you flagged, but wouldn't have gone looking without your comment prompting a proper look at that page in the first place.

Collapse
 
vollos profile image
Pon

Shipped inside a day, with a bonus regression caught on the way. The override-not-merge thing is easy to miss because every page still renders, nothing looks broken until a share card turns up blank. The button read was the easy half, you did the rest.

Thread Thread
 
l_build profile image
Lior Karaev

Appreciate that — and honestly, four rounds in, I don't think I'd have developed the habit of actually checking pages directly instead of trusting the code without this whole thread pushing me to. Thanks for sticking with it.

One heads-up while I have you: there's a bigger piece of work coming up — real per-company accounts and access scoping, replacing the current "authenticated basically means admin" setup that's been sitting there deliberately unaddressed. Given the track record so far, I'd genuinely welcome another look once it's up.

Thread Thread
 
vollos profile image
Pon

Count me in when it ships. Access scoping is a meatier round than button copy, and naming the 'authenticated basically means admin' problem out loud before building is the right order to do it in. Write it up like you did this one and I'll show up.