In late June, a security researcher discovered a vulnerability in a web application used by a16z, one of Silicon Valley’s most influential venture capital firms, that exposed some data related to the firm’s portfolio companies. The flaw has since been fixed.
On June 30, a security researcher named xyzeva announced that Written on X She was looking for someone from a16z to contact, hinting that she had found a security issue.
“Contact me now. This is bad. It’s about security,” she wrote.
When contacted by TechCrunch, xyzeva said it found a “really simple bug” that “gave access to everything” on the a16z portfolio portal. More specifically, it said it found exposed API keys on portfolio.a16z.com. The information it was able to see included emails, passwords, and “company and employee details,” xyzeva said. It also said it was able to send emails as a16z and access previously sent emails from the company’s account with Mailgun, an email delivery service.
In a statement to TechCrunch, Brian Greene, chief information security officer at a16z, confirmed that the company fixed the bug the same day xyzeva wrote the post and contacted the company, but said the issue did not affect any sensitive data.
“On June 30, a16z addressed a misconfiguration in a web application used for a specific use case to update publicly available information on our website such as company logos and social media profiles. The issue was quickly resolved and no sensitive data was compromised,” Green said. “We remain committed to engaging with the security community on ethical disclosures and will continue to do so through responsible means.”
In a text conversation seen by TechCrunch, where xyzeva inquired about a bug bounty program — a way for security researchers to get rewarded for their discoveries — a company employee told her that the company doesn’t offer such a program. “However, after we complete the analysis, I’d be more than happy to try to set something up for you in this case,” the employee said.
But days later, the employee told xyzeva that “unfortunately, there are some things holding it back,” according to another text exchange seen by TechCrunch.
“First, there’s the disclosure process. Posting publicly that a serious issue exists meant that potential attackers could potentially scan our sites for the issue, which unnecessarily increased our risk and is outside the norm for how vulnerability disclosures are conducted,” the employee said. “Second, the subsequent post that incorrectly described “full access to almost everything” and promised to write a report did not reflect the best intentions of the team. If there is any misunderstanding from this, please let me know.”
It is not uncommon for security researchers to disclose their findings when a vulnerability or issue has been fixed and no longer poses a risk.
As of the time of writing, the portal where xyzeva found the issue is unavailable. “This application is in deprecation.” Read message On site.
Over the years, a16z has invested in many well-known companies such as Airbnb, Coinbase, Instacart, Lyft, and Slack, Among many othersThe company’s founders, Marc Andreessen and Ben Horowitz, recently said they were supporting Donald Trump in the upcoming presidential election.