How Broken Should Your MVP Be?

Marc Louvion is Twitter / X's next Pieter Levels.

He's shipped 24 products but has had the most success with ShipFast, which allegedly does $46k of revenue a month. That's pretty sweet. Good for Marc, I hope to get there one day.

ShipFast is a NextJS boilerplate that has sold somewhere around 4297 copies for somewhere around 200-300 bucks. That's like 850k in revenue. Nice.

If Marc's numbers are right, he's printing money. It does feel kinda ironic/sad/scammy that the product he had the most success with was a product that aims to sell the dream of selling a SaaS. It's the classic inception-style move where an entrepreneur will sell a course on how to start a business and the revenue from the course will eclipse the original business idea. But it did work for him, so there must be demand. Prob not the path I wanna go but good for him.

Sections of Twitter/X are up in arms over Marc's practices for ShipFast and I agree with some arguments.

Marc makes the point that devs think you should write tests and that this slows devs down from shipping a product. I think that's true to some extent. If your product is not very mature, tests aren't on the radar. Once it does mature, tests might are a good idea. And then when you're skilled enough to write tests, perhaps you can implement them from the beginning on new projects.

Marc's detractors note that his product's paywall is easily bypassed. I don't think that's a big deal. Pirates don't pay for stuff anyway and customers who are honest will pay and be honest. Marc is the only one who is hurt by that.

Where it gets gross is that some X users have claimed that you can change the profile ID in a dashboard URL and access other people's profile data. That's not great.

Worst of all, Marc is selling a SaaS Boilerplate...how many of his security vulnerabilities are present in the boilerplate? So new devs or people who want to grab the template are building products on top of something that at a minimum...uses pretty sketchy security practices.

So how broken should your MVP be?

Your MVP shouldn't be broken at all 😂

"OK but...what does broken mean?"

Your MVP for a product should work. All the buttons should go places and not 404, basic functionality should work, and you shouldn't be able to see other user's data. Edge-cases might exist, but the core features all work.

When people say that you should be embarrassed by your MVP or you've shipped too late, I think they mean it can be kinda ugly. Craigslist is still ugly and one of the top trafficked websites on the internet. Your software must function.

Maintenance and on-going improvements are a good thing. And if you stacked up $2189 in boilerplate revenue in a day, IDK, I kinda think you could pay someone to come in and clean up your mess a little:

This post feels awkward to even write, I don't enjoy writing about other people...it feels gossip-ey and I don't have enough time to research the whole story.

How to Security like a Boss

If I were launching an app, I'd familiarize myself with the OWASP Top 10, which is a list of common web vulnerabilities. The funny thing is that, most or all of these top 10 and the bugs/vulnerabilities that Marc's product ran into are not an issue if you're using a web framework like Ruby on Rails or Laravel.

You could even just 1-shot the question with a ChatGPT or Claude prompt like "How do I secure my new web app I just launched? It's written in nextjs". Or throw the same thing into cursor.