A few months ago when the heartbleed bug spread across the internet like wildfire I texted my friend Peter and asked him “Hey how hard is it to fix this heartbleed stuff?” A few minutes later after doing some investigation he said “Easy, the patch can be applied in less than 30 minutes if you know what you’re doing.” My mind starts racing, as the key words started resonating in my head “if you know what you’re doing.” That my friends is the essence of information arbitrage; having a skill or information that the customer lacks.
My gears started spinning and I started reading as much as I could about this topic, how many sites were affected, who was the likeliest customer, who could afford to pay for this, who had the most to lose.
I called Peter, rare, because who calls anyone anymore, texting is more efficient usually. “Peter, let’s start a site to let people check their sites to see if they have the heartbleed vulnerability. If they have it, we upsell them on a flat fee repair service.” Peter replied “hmm, how many sites have this bug?”
“70 Million at least according to CNet”
“Done, let’s do it this weekend and launch next week”
So I set off to find a domain, and a template for the design from themeforest. I stumbled upon SSLFix.com being available. Brilliant, I thought, such a short domain, its crazy that its available. Meanwhile Peter was whipping up the code we needed to test people’s sites, charge their credit cards, and handle the orders (we used plain email in a new inbox to handle the orders).
So Monday rolls around, and we launch, we push it over our social networks, get close to a thousand hits, share it wherever we can, and wait. Nothing, no one is buying. We see hundreds of sites being tested, many of whom we saw had the vulnerability. Yet no one is buying. I wonder, is our price too high? We were charging $499 for the service (our rationale was your liability would be high if you knew you were exposed, so it was worth $500 to get it done right and fast).
By Wednesday or Thursday (a week after we conceived of the idea), we had spent $50 on google adwords to drive a bit of traffic to the site, but still no sales. I decided, we can’t wait around on this, we have to try outbound sales. Who do we call though? Who do we reach out to? I stumbled upon a site that had databases of sites using certain technologies, so we bought two databases of sites using Magento and WooCommerce two popular ecommerce platforms that are self hosted, and together make up over 20% of the sites selling things online. This ended up being over 450,000 sites. Shit that’s a lot of sites, how do we know who to contact? So being intrepid entrepreneurs Peter and I whipped up a script to test each and every one of these sites for the vulnerability and store them in a separate lead list for us. This took time though, days actually to scan and test nearly half a million sites.
We ended up with 50,000 sites out of 450,000 that had the vulnerability. In my mind I start thinking, holy crap, that’s $25,000,000 in potential market size, I just need to close 1% to make a killing, $250k was going to be mine.
We had emails for about 10,000 of these sites from their whois information. Ok so we have 10,000 sites we can easily email to offer them our service, awesome. I decide I’m going to cold-email 1,000 of them to see if any bite. I find a professional email template, setup a mailchimp account, and fire off a carefully crafted email that outlined their site and the potential dangers Heartbleed caused. Then I wait… We had 47% open rate, I thought we were going to be golden. Then I get a dreaded email from mailchimp: my account was frozen for spamming! How is this possible? We were sending relevant information to people.
Oh no, so I can’t email these leads, guess that means I need to call them. I decided to look through the recipient email list to find the people who had actually opened our email in the first thousand and those were going to be the people I called.
I narrow down my list to 25 people and I start calling them. I get through to about 10 of these people, 7 of whom remembered my email (that’s a good sign I guess). Each and everyone of them gave me the same response “Well I didn’t know if my internet provider (hosting company) was responsible or not, so I called them and got them to fix it.” Shit, my plan is backfiring.
I start realizing that although tons of sites are still affected, these customers are all people who paid “some guy” a while back to setup their sites, and really don’t know enough to understand the ramifications or assumed it was “that guy’s” responsibility to fix it. Convincing these customers en masse was going to be inefficient and time consuming; and I didn’t want to have to call 4,975 more people. We eventually dropped our price to $99, but by then it was too late, web hosting companies were blanket patching people’s sites and servers without waiting for their unmanaged customers to do it themselves. So product market fit was still eluding us.
We had a product people could use, that they needed, that could save them tons of money and liability, but no one understood. So even though this was really just an MVP we built, all told we spent $600 on, and 2 days worth of coding time, we learned a lot. We learned that if we had spent two weeks or two months building this and making it more complex, we would have wasted that time and money. We learned that even if you have a clearly defined customer list who needs your products, if they don’t understand why they need you, it doesn’t matter how good you are. We also learned a lot about where to find potential customers, even if they aren’t ready to buy your service right now.
While in the end I didn’t really lose $250,000 or $25,000,000, I only lost $600 and some time. I did learn a lot, which hopefully helps translate to my next weekend project. The lesson here is that even if you think you have a solution, you might not have product market fit; that is often much harder to find. In case you’re wondering, we ended up making $0 in sales.
* Image credit Mashable.