> Is it considered apropos to state how surprised you are that developers who come across as relatively senior are capable of making an incredibly fundamental security mistake such as this?
Only if you're concerned that you can't tell who is "relatively senior." In this case, your judgement was unfortunately wrong.
'Relatively senior' here means 'ostensibly trusted with important tasks in the past'. Both of the creators of this application (I won't say 'founders of this startup' because that's silly) are ex-WePay.
Working in a cool company doesn't automatically mean the developer is competent. Neither is working for a large corp for that matter. I've seen far too many examples of this, unfortunately.
I had to look up WePay on Google. The wikipedia page says they have 30 employees as of a year ago, did YC and 1 round of funding.
I have to be honest - that doesn't demonstrate a high level of trust at all these days. It's sad, but true. Plus, if you say they're "ex-WePay," I assume they were just everyday developers for WePay, not critical resources.
"Head of Product" sounds like a product manager, it doesn't even sound like an engineer at all - this makes it even less surprising that these pathetic security holes existed.
Just to be clear, that means my assumptions you lambasted were generous. Not folly.
Only if you're concerned that you can't tell who is "relatively senior." In this case, your judgement was unfortunately wrong.