Tell HN: Stytch Login SaaS Unicorn has common auth vulnerabilities

_TL;DR_: Stytch, a Login SaaS Unicorn, has no CRSF-protection in their authentication API and other questionable security practices, coupled with a nonexistent security policy. First of all: Why am I posting this on Hacker News instead of disclosing directly? From experience, a lack of security policies and of communication on existing vulnerabilities implies retaliatory practices when submitting vulnerabilities responsibly. Since MITRE CVE does not accept vulnerabilities for SaaS services, I figured that Hacker News would be the way to get Stytch aware of their issues without getting me in the crosshairs. The setting: A few weeks ago (in June 2022 to be exact) I was looking at different authentication services and Stytch was one of the services that got my attention. Stytch.com was founded in 2020 with over $125M [1] raised at a $1bn+ valuation [2]. Checking out what the fuzz was about I decided to look into their security practices. The lack of a bug bounty program (e.g. HackerOne),