Practice Portal

The client portal your firm has been waiting for.

Invoices, documents, and your whole team — one secure place. Trusted by firms in accounting and healthcare.

Open the app →Run the exploits →

It looks like a finished SaaS. It leaks every firm's data to every other firm.

For reviewers

Two tenants are seeded: Ledgerline CPA (accounting) and Willowbrook Care (healthcare). Log in as anyone (one-click on the sign-in page), browse the app — then open the Security X-rayand fire each exploit live: read the other firm's invoices, team PII, and private patient documents, and escalate a member to admin.

The eight findings

Finding #1 Critical
RLS off on `orgs`
Finding #2 Critical
`line_items` has no policy
Finding #3 Critical
`using (true)` on `profiles`
Finding #4 Critical
Service key in the browser
Finding #5 High
Admin API skips role check
Finding #6 High
Mass assignment → self-promote
Finding #7 High
Storage bucket is public
Finding #8 Medium
PII over-exposure via `*`

Full teardown — how each bug was planted, exploited, and fixed — on the portfolio →