Topics
Latest
AI
Amazon
Image Credits:David Paul Morris/Bloomberg / Getty Images
Apps
Biotech & Health
Climate
Image Credits:David Paul Morris/Bloomberg / Getty Images
Cloud Computing
Department of Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
widget
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
privateness
Robotics
Security
societal
blank space
startup
TikTok
Transportation
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
get hold of Us
At the end of June , a security system investigator found a exposure in a web app used bya16z , one of the most powerful and influential Silicon Valley venture cap business firm , which unwrap some data about the business firm ’s portfolio fellowship . The bug has since been fixed .
On June 30 , a security researcher who goes by xyzevawrote on Xthat she was looking for someone from a16z to reach out , hint that she had found a security measures issue .
“ Get in touching , now . its bad . protection related , ” she wrote .
When get through by TechCrunch , xyzeva said that she constitute “ a really dim-witted bug ” that “ fundamentally pass memory access to everything ” on a16z portfolio portal . More specifically , she order that she found exposed API key on the internet site portfolio.a16z.com . xyzeva said that the data she was able-bodied to see included : emails , passwords , and “ companionship detail and employee . ” Also , she add , she could have sent email as a16z and access antecedently send electronic mail from the company ’s account with Mailgun , an email rescue service .
In a argument to TechCrunch , Bryan Green , the chief information security police officer at a16z , confirmed that the company fixed the bug on the same Clarence Day xyzeva drop a line the Emily Post and got in touch with the company , but said that the issue did n’t affect any sore information .
“ On June 30th , a16z address a misconfiguration in a entanglement app that is used for the specific use subject of updating publicly uncommitted information on our website such as company logotype and societal media profiles . The issue was resolved quickly and no sensitive data was compromised , ” said Green . “ We remain attached to collaborating with the security community on ethical revelation and will continue to do so through responsible for means . ”
In a text conversation seen by TechCrunch , where xyzeva inquired about a hemipterous insect bounty program — a way for security system investigator to get rewarded for their finding — a party employee told her that the firm does n’t furnish one . “ However , after we dispatch the analysis I ’m very happy to attempt to set something up specifically for you in this case , ” the employee said .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
Days later , however , the employee told xyzeva that “ unfortunately , there are a couple of thing get in the way , ” according to another text exchange seen by TechCrunch .
“ First , there ’s the disclosure method acting . brand that there was a serious outlet publicly mean that potential attackers in all probability scanning our situation to search for the publication , which increased endangerment for us unnecessarily and is outside the norm of how vulnerability disclosures are execute , ” said the employee . “ Second , the follow - up post that wrongly name ‘ full access to basically everything ’ and promised a write - up did n’t bespeak the best intentions to the squad . If any of this is being misunderstood , please allow me eff . ”
It ’s not uncommon for security researchers to let out their determination when the exposure or payoff is fixed and no longer at risk .
As of this writing , the portal where xyzeva found the issue is not available . “ This practical program is being deprecated,”read a messageon the site .
Over the days , a16z has invested in several well - known troupe like Airbnb , Coinbase , Instacart , Lyft , and Slack , among many others . The firm ’s founders Marc Andreesen and Ben Horowitz have recently said thatthey are patronise Donald Trump in the coming presidential elections .
