Chefs kiss. Delve issues “vibe complaince” rubberstamp SOC and other certifications, while leaving their own door wide open w sensitive documents unsecured… for who knows how long. Security 101
A cautionary tale of a complaince startup faking everything, and almost making it
#### James Zhou
@jameszhou02 · 14h ago
btw their supabase storage bucket is publicly accessible via any signed url token 😭 exposes:
> employee background checks
> equity vesting schedules and grant amounts
> performance reviews
> session tokens for stripe, notion, etc
> screenshots below 🧵
i also got access to their notion 😛
86
70
1,446
464.7K
19 Replies
16 Retweets
298 Likes
33.4K Views 
One Sentence Summary
Gergely Orosz highlights Delve, a compliance startup that issues SOC certifications while leaving its own sensitive documents publicly exposed.
Summary
This tweet is a critical commentary on Delve, a compliance startup that issues security certifications like SOC to other companies, yet failed to secure its own sensitive documents. The quoted tweet reveals that Delve's Supabase storage bucket was publicly accessible, exposing employee background checks, equity vesting schedules, performance reviews, and session tokens for Stripe and Notion. The author uses sarcastic 'Chefs kiss' and 'vibe compliance' to criticize the hypocrisy of a compliance company that rubber-stamps certifications for others while having fundamental security flaws itself. This serves as a cautionary tale about the authenticity of compliance startups.
AI Score
82
Influence Score 42
Published At Today
Language
English
Tags
Security
Compliance
SOC 2
Data Breach
Startup