It's not just a common scenario for early to medium stage startups. It's also a common scenario for every other business with a bug bounty program.
Sometimes, the consequences aren't high.
"Your CORS is configured to allow access from another domain, also owned by you."
"You can give yourself a redirect to any site by intercepting and modifying your own Host header."
"Your static blog on a separate domain from your actual site is accessible over unencrypted HTTP."
"If I zoom in on your web page, the text becomes blurry."
If your question was from the other end, "what do you do as the company when you get a report like this?", I say something like "We don't believe that this warrants fixing at this time. Thanks for your interest in our program, and we hope you continue reporting to us in the future!"
What I'm thinking of are things like "a paying customer can DoS you with a carefully constructed malicious input". That usually won't be practical issue if you're small enough to know all your customers - but it has the potential to be very problematic if you incentivize people to find it.
> Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report
Sometimes, the consequences aren't high.
"Your CORS is configured to allow access from another domain, also owned by you."
"You can give yourself a redirect to any site by intercepting and modifying your own Host header."
"Your static blog on a separate domain from your actual site is accessible over unencrypted HTTP."
"If I zoom in on your web page, the text becomes blurry."
If your question was from the other end, "what do you do as the company when you get a report like this?", I say something like "We don't believe that this warrants fixing at this time. Thanks for your interest in our program, and we hope you continue reporting to us in the future!"