Hi all, Hack Club founder here. I just posted this on the Hack Club Slack and want to share here too:
Hi everyone, I should have jumped in sooner. I’m sorry - I’ve been afraid to post because I’ve been worried that any response whatsoever would be crucified. That’s left a lot of you understandably asking questions and that’s on me.
This has been a very difficult set of accusations to deal with this week, and a lot of bad memories have been brought up. Please keep in mind that there is often a lot of context not mentioned and that Hack Club can’t talk about everything as transparently as we’d like due to privacy for the people involved.
First - I want to give an update on the privacy policy. We hired a data privacy lawyer in August through a referral from our main lawyer. We’ve been working with them and expect to be able to release the privacy policy in ~2 weeks. It won’t be anything earth shattering - basically that Hack Club doesn’t sell your data.
From day 1 we have cared about data privacy at Hack Club. When I was a teenager, I’d PGP sign all my emails and refused to use Gmail / etc because of privacy. When Slack made it possible for organizations to read DMs of members in ~2017, we made a public commitment to never do that for Hack Clubbers unless legally compelled (and have never done so today). That’s part of why 100% of all of the code at Hack Club is open source, which none of our peer organizations do (to my knowledge).
Part of why we haven’t been sooner to respond or release a policy is because a privacy policy != security. Practices = security. We haven’t wanted to release something imperfect, so we didn’t release anything at all. We should have just hired a privacy lawyer earlier and published what they recommended - that’s on me.
I believe that Hack Club currently meets or exceeds the security and data practices of other organizations in our space, and where we have found issues (or people have helped us find issues), we have resolved them as quickly as possible. For example, most reports through https://security.hackclub.com are resolved in less than 24 hours. Earlier this year I found a bug (https://gist.github.com/zachlatta/f86317493654b550c689dc6509...) in Google Workspace that enabled phishing from g.co, which is owned by Google - it took them 11 months to fix it (I filed in Jan 2025, got a bounty payout 2 months after reporting, and just got confirmation the bug was fixed 11 days ago).
Here are some of the various steps we’ve taken to enhance security over the past year:
- Essential staff carry YubiKeys, including myself
- We moved to role-based access control in Airtable and Fillout
- We moved Hackatime and other sensitive apps out of the main self-hosted servers into their own separated server group
- https://identity.hackclub.com was introduced to securely handle ID verifications with audit logs and all documents stored encrypted at rest so individual programs don’t need to handle as much PII. Servers are completely separated from the rest of HC infra.
- We started working pro-bono with a cybersecurity firm that works with Tailscale and other security-critical orgs
- We separated PII collection across YSWSs so programs generally only have access to the individual data people submit to their program (and not the full Hack Club users table)
- And a lot more small things
There are a small number of known cases of accidentally unprotected API endpoints in YSWSs, which were all quickly fixed after being reported through https://security.hackclub.com. We don’t have any evidence any data was leaked. The people who reported all received bounty payouts. Since then, the staff members responsible have been trained and feel very badly about their mistakes.
I hope we can all have a breather and have a better day tomorrow. Thank you all. More soon.
Conversation about outsourcing aside, it isn’t fair to pick one example and generalize to say an entire country’s talent pool is poor.
The US has the best engineering talent pool in the world and you can find dozens of examples at major companies as bad (or worse) than the one you linked.
We've had a similar experience at Hack Club, the nonprofit I run that helps high schoolers get into coding and electronics.
We used to be on Heroku and the cost wasn't just the high monthly bill - it was asking "is this little utility app I just wrote really worth paying $15/month to host?" before working on it.
This year we moved to a self-hosted setup on Coolify and have about 300 services running on a single server for $300/month on Hetzner. For the most part, it's been great and let us ship a lot more code!
My biggest realization is that for an organization like us, we really only need 99% uptime on most of our services (not 99.99%). Most developer tools are around helping you reach 99.99% uptime. When you realize you only need 99%, the world opens up.
Disco looks really cool and I'm excited to check it out!
Cheers, let me know if you do / hop onto our Discord for any questions.
We know of two similar cases: a bootcamp/dev school in Puerto Rico that lets its students deploy all of their final projects to a single VPS, and a Raspberry Pi that we've set up at the Recurse Center [0] which is used to host (double checking now) ~75 web projects. On a single Pi!
You should see if there's a Daydream game jam near you! It's a game jam for teens ages 13-18 happening in 100 cities simultaneously worldwide on September 27th and 28th, 2025.
2. They do it in a way where they make friends (ex. on the Hack Club Slack, on Discords, or by going to in-person events like https://daydream.hackclub.com which is an upcoming global game jam we're hosting)
3. They do it in a way where they go on memorable adventures (either physical - like traveling to hackathons, or intellectual - like trying to build a compiler from scratch)
Most small businesses cannot afford CPAs for everyday tasks. At best a CPA signs off on the annual summaries. Most day to day work is done by bookkeepers who are not CPAs.
In my area (Vermont) the going rate for a good CPA is $200/hr. Bookkeepers are $20-30/hr.
Most small businesses also cant afford the risk of current LLMs putting garbage in their books that, in the best case, has to be cleaned up or redone, or, in the worst case, gets the IRS up your ass
Tuned LLMs will become more accurate than bookkeepers for most day-to-day small business transactions. I think you underestimate the amount of errors that normal bookkeepers tend to make.
It's hard for me to tell what is a bigger misspending of money - LLMs or Apollo... At least I have a direct access to LLMs. Not sure I would need a direct access to moon rocks though.
It seems quite plausible that if we hadn't done the Apollo program that we'd probably be about 10 to 20 years behind in semiconductors right now (not to mention other technologies).
When you say "we" I assume you are from Taiwan? Good for you people, but it isn't much of a win for US industrial policy when it pushes Taiwan to the ascendant position and seems to be locking in Asian dominance of tech manufacturing.
No, "we" as in humanity. Apollo funding gave the development of integrated circuits a boost. Sure, we would've developed integrated circuits eventually anyway but it would've taken longer to get there.
Hi everyone, I should have jumped in sooner. I’m sorry - I’ve been afraid to post because I’ve been worried that any response whatsoever would be crucified. That’s left a lot of you understandably asking questions and that’s on me.
This has been a very difficult set of accusations to deal with this week, and a lot of bad memories have been brought up. Please keep in mind that there is often a lot of context not mentioned and that Hack Club can’t talk about everything as transparently as we’d like due to privacy for the people involved.
First - I want to give an update on the privacy policy. We hired a data privacy lawyer in August through a referral from our main lawyer. We’ve been working with them and expect to be able to release the privacy policy in ~2 weeks. It won’t be anything earth shattering - basically that Hack Club doesn’t sell your data.
From day 1 we have cared about data privacy at Hack Club. When I was a teenager, I’d PGP sign all my emails and refused to use Gmail / etc because of privacy. When Slack made it possible for organizations to read DMs of members in ~2017, we made a public commitment to never do that for Hack Clubbers unless legally compelled (and have never done so today). That’s part of why 100% of all of the code at Hack Club is open source, which none of our peer organizations do (to my knowledge).
Part of why we haven’t been sooner to respond or release a policy is because a privacy policy != security. Practices = security. We haven’t wanted to release something imperfect, so we didn’t release anything at all. We should have just hired a privacy lawyer earlier and published what they recommended - that’s on me.
I believe that Hack Club currently meets or exceeds the security and data practices of other organizations in our space, and where we have found issues (or people have helped us find issues), we have resolved them as quickly as possible. For example, most reports through https://security.hackclub.com are resolved in less than 24 hours. Earlier this year I found a bug (https://gist.github.com/zachlatta/f86317493654b550c689dc6509...) in Google Workspace that enabled phishing from g.co, which is owned by Google - it took them 11 months to fix it (I filed in Jan 2025, got a bounty payout 2 months after reporting, and just got confirmation the bug was fixed 11 days ago).
Here are some of the various steps we’ve taken to enhance security over the past year:
- Essential staff carry YubiKeys, including myself
- https://security.hackclub.com bug bounty program was introduced
- We moved to role-based access control in Airtable and Fillout
- We moved Hackatime and other sensitive apps out of the main self-hosted servers into their own separated server group
- https://identity.hackclub.com was introduced to securely handle ID verifications with audit logs and all documents stored encrypted at rest so individual programs don’t need to handle as much PII. Servers are completely separated from the rest of HC infra.
- We started working pro-bono with a cybersecurity firm that works with Tailscale and other security-critical orgs
- We separated PII collection across YSWSs so programs generally only have access to the individual data people submit to their program (and not the full Hack Club users table)
- And a lot more small things
There are a small number of known cases of accidentally unprotected API endpoints in YSWSs, which were all quickly fixed after being reported through https://security.hackclub.com. We don’t have any evidence any data was leaked. The people who reported all received bounty payouts. Since then, the staff members responsible have been trained and feel very badly about their mistakes.
I hope we can all have a breather and have a better day tomorrow. Thank you all. More soon.