In late June, a security researcher discovered a vulnerability in a web app used by a16z, one of Silicon Valley's most powerful and influential venture capital firms, exposing some data about the firm's portfolio companies. The bug has since been fixed.
On June 30th, a security researcher going by the name of xyzeva wrote to X, hoping to get in touch with someone at a16z, suggesting that he had discovered a security issue.
“Contact me now. This is bad. Security related,” she wrote.
When contacted by TechCrunch, Xyzeva said he found a “very simple bug” in the a16z portfolio portal that “gave him access to basically everything.” Specifically, he found an exposed API key on the site at portfolio.a16z.com. Xyzeva said the information he was able to see included emails, passwords, and “company details and employees.” He added that he was also able to send emails as a16z and access previously sent emails from the company's account on Mailgun, an email delivery service.
In a statement to TechCrunch, a16z's chief information security officer, Brian Greene, confirmed that the company fixed the bug the same day xyzeva contacted the company about its story, but said the issue did not affect any sensitive data.
“On June 30, a16z addressed a misconfiguration of a web app used for the specific use case of updating publicly visible information on our website, including our company logo and social media profiles. The issue was quickly resolved and no sensitive data was leaked,” Green said. “We remain committed to working with the security community on ethical disclosures and will continue to do so in a responsible manner.”
In a text chat reviewed by TechCrunch, xyzeva inquired about a bug bounty program (a way for security researchers to get paid for their discoveries) and a company employee replied that the company doesn't offer such a program. “However, we would like to have something special for you on this once our analysis is complete,” the employee said.
But a few days later, the employee told Xyzeva, “Unfortunately, we're having some issues,” according to another text exchange reviewed by TechCrunch.
“First, there's the method of disclosure: publicly posting that we had a significant issue could potentially lead potential attackers to scan our site looking for issues, which unnecessarily increases risk for our company and falls outside of our standard method of vulnerability disclosure,” the employee said. “Second, your follow-up post incorrectly describing 'basically everything is fully accessible' and promising a write-up did not convey the best intentions to the team. If this has been misconstrued, please let us know.”
It is not uncommon for security researchers to publicly disclose their findings once a vulnerability or issue has been fixed and no longer poses a risk.
At the time of writing, the portal where Xyzeva discovered the issue is unavailable, with a message on the site saying “This application will be discontinued.”
Over the years, a16z has invested in many well-known companies, including Airbnb, Coinbase, Instacart, Lyft, and Slack. The firm's founders, Marc Andreessen and Ben Horowitz, recently stated that they would support Donald Trump in the next presidential election.