Skip to content

Instantly share code, notes, and snippets.

Evan J Johnson ejcx

Block or report user

Report or block ejcx

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@ejcx
ejcx / company-ownership.md
Created Jul 5, 2016 — forked from jdmaturen/company-ownership.md
Who pays when startup employees keep their equity?
View company-ownership.md

Who pays when startup employees keep their equity?

JD Maturen, 2016/07/05, San Francisco, CA

As has been much discussed, stock options as used today are not a practical or reliable way of compensating employees of fast growing startups. With an often high strike price, a large tax burden on execution due to AMT, and a 90 day execution window after leaving the company many share options are left unexecuted.

There have been a variety of proposed modifications to how equity is distributed to address these issues for individual employees. However, there hasn't been much discussion of how these modifications will change overall ownership dynamics of startups. In this post we'll dive into the situation as it stands today where there is very near 100% equity loss when employees leave companies pre-exit and then we'll look at what would happen if there were instead a 0% loss rate.

What we'll see is that employees gain nearly 3-fold, while both founders and investors – particularly early investors – get dilute

View sam-questions.js
this.ycQuestions = [
"So what are you working on?",
"Have you raised funding?",
"What makes new users try you?",
"What competition do you fear most?",
"What’s the worst thing that has happened?",
"Will you reincorporate as a US company?",
"What’s an impressive thing you have done?",
"Where is the rocket science here?",
"Why did you pick this idea to work on?",
View webappsecirc
15:59 < mkwst> present+ mkwst
15:59 * mkwst might need to do that again if Zakim doesn't actually recognize the call?
15:59 < bhill2_> present+ bhill2
15:59 < bhill2_> Meeting: WebAppSec Teleconference, 23-Mar-2016
16:00 < bhill2_> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0073.html
16:00 < bhill2_> Chairs: bhill2, dveditz
16:00 < freddyb> present+ freddyb
16:00 -!- bhill2 [~bhill2@public.cloak] has quit [Ping timeout: 180 seconds]
16:00 -!- gmaone [~chatzilla@public.cloak] has joined #webappsec
16:01 -!- teddink [~teddink@public.cloak] has joined #webappsec
View curl.ingvar
root@ejjio:/var/www/breaking-sop# curl ej.cx -sI | grep Report-Only
Content-Security-Policy-Report-Only: default-src cf://*; report-uri https://ejj.io/report-uri
Content-Security-Policy-Report-Only : default-src df://*; report-uri https://test.io/report-uri
@ejcx
ejcx / top-700k.json
Created Feb 24, 2016
Alexa Top 700k Survey
View top-700k.json
{"":"","HTTP/1.1 200 OK":"","access-control-allow-credentials":"true","access-control-allow-origin":"http://evil.com.ej.cx","cache-control":"no-store, no-cache, must-revalidate, post-check=0, pre-check=0","content-type":"text/html","date":"wed, 24 feb 2016 01:17:21 gmt","expires":"thu, 19 nov 1981 08:52:00 gmt","pragma":"no-cache","server":"apache/2.2.22 (ubuntu)","set-cookie":"phpsessid=2phdir1nkjt822p5lelc2vtf65; path=/","vary":"accept-encoding","x-hostname":"http://.ej.cx","x-powered-by":"php/5.3.10-1ubuntu3.21"}
{"":"","HTTP/1.1 302 Found":"","access-control-allow-credentials":"true","access-control-allow-methods":"get, head, post, put, patch, delete, options","access-control-allow-origin":"https://wetransfer.com.evil.com","access-control-expose-headers":"","access-control-max-age":"60","cache-control":"no-cache","connection":"keep-alive","content-type":"text/html; charset=utf-8","date":"wed, 24 feb 2016 01:17:55 gmt","location":"https://www.wetransfer.com/","server":"nginx","status":"302 found","vary":"o
View cors-scanner.sh
#!/bin/sh
while read -r domain
do
# Remember. Account for the fact that some sites don't exist on HTTP
# And others don't exist on HTTPS. Prune later.
curl -I "https://$domain" --max-time 3 -H "Origin: https://$domain.evil.com" | ./respirator&
curl -I "http://$domain" --max-time 3 -H "Origin: http://$domain.evil.com" | ./respirator&
done < "top1mdomains"
View respirator.go
package main
import (
"bufio"
"encoding/json"
"fmt"
"log"
"os"
"strings"
)
View trickery.sh
root@ejjio:/var/www/misconfigured-cors# curl -H "Origin: https://ejj.io.evil.com" https://ejj.io -I
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Wed, 24 Feb 2016 06:47:21 GMT
Content-Type: text/html
Set-Cookie: PHPSESSID=sd7ejaf2lufukhq7se49lmsg76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Access-Control-Allow-Origin: https://ejj.io.evil.com
Access-Control-Allow-Credentials: true
View nottrue.jpg
~ vagrant :) curl ruben.verborgh.org -I -H "Origin: http://ej.cx"
HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Tue, 23 Feb 2016 23:04:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 14887
Last-Modified: Tue, 16 Feb 2016 13:23:48 GMT
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 24 Feb 2016 00:04:16 GMT
View abcnews.go.com
root@ejjio:/var/www/breaking-sop# curl abcnews.go.com -H "Origin: http://abcnews.go.com.ej.cx" -I
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=edge,chrome=1
Content-Type: text/html;charset=utf-8
X-VG-WebCache: 164
Cache-Control: max-age=60
Content-Length: 151796
Accept-Ranges: bytes
Date: Tue, 23 Feb 2016 06:34:49 GMT
You can’t perform that action at this time.