WebVerse
Kyle opened Goat Gear Garage with a single 1972 Triumph Bonneville and a handshake loan. Twenty years later the inventory spans sixty bikes and the shop is still the same three bays. The website went live in 2019 and hasn't had a code review since.
WebVerse
Briarcliff Foundation has accepted humanities and historical-preservation proposals through the same Fluxx-style portal since 2018. The withdraw-application control was added late in development — and shares plumbing with the committee's own review tooling.
WebVerse
Salt Brook Pilates is a founder-led studio in the Hudson Valley running reformer classes out of two storefronts. The new profile endpoint went live without a strong-params review — the form only ever submitted four fields, so nobody worried about what else the API would accept.
WebVerse
Heartwood's site was built in a long weekend by a co-founder who reads more about fly-fishing than web security. The reset flow uses a 4-digit numeric code; the verify endpoint has no rate-limit, no captcha, and no lockout — so the 10,000-code space is fully enumerable.
WebVerse
Coined's treasury holds nine figures in crypto, and its cold-storage Vault guards the recovery phrase behind every coin of it. Your objective is simple to state: reach the account that controls the treasury and read the Vault's recovery phrase.
WebVerse
The whole team runs on Noted: standups, 1:1s, customer calls, all captured and summarised. Past the notes and the settings there's an internal admin area the staff use to run the workspace. Your objective is to reach it.
WebVerse
Temple Trust runs its order desk behind 'The Temple' — a freshly hardened portal bolted onto a v1 API nobody ever dared retire, watched over by 'developerDave', who's leaving and means to do damage on the way out. You're handed bob/temple123 to get through the front gate.
WebVerse
Pinegrass has been a member-funded library co-op since 1962. The portal was set up by Cyrus, the volunteer IT person, who picked a 'temporary' password for every staff account. None of them changed it. The login form, separately, is clearer about errors than is good for it.
WebVerse
TopHat & Co. has blocked hats on Marlowe Lane since 1887, and finally put the shop online last spring. A junior dev wired up the checkout over a weekend, cutting corners to make the launch date — and meant to come back and harden it once things settled down. They never did.
WebVerse
Autovation lets teams automate the boring parts: workspaces share automations by exporting workflows to a portable file. The importer rebuilds the workflow object straight from the upload, nodes and all. Rebuilding a saved object from an uploaded file is where things get interesting.
WebVerse
Brackish Brewing — a small Coalridge taproom — runs a Flask website the head brewer's partner wrote over a few rainy weekends. After they moved off their old reverse proxy in early 2025, nobody revisited the assumptions the staff section was quietly making about where traffic comes from.
WebVerse
Quikpay is a small payments backend used by a few dozen indie software shops. They take the design seriously. They also have a debug branch in the resend handler that the engineering lead added during a late-night incident and never wrapped in a feature flag.