That doesn't seem irresponsible to me. Sure they could have searched the bottom of a connect page for the office emails to try, but I don't see any significant issue with what they did instead.
Why broadcast the tweet publicly instead of sending it as a DM to A16Z then?
It’s obviously not safe to publicly announce the existence of a security vulnerability, and there was no barrier to alerting them privately via the same platform.
> It’s obviously not safe to publicly announce the existence of a security vulnerability
Publicly showing the vulnerability would have been unsafe, but I don't think there's much harm in asking to get in touch about an unspecified security issue (not even saying that it's a vulnerability in their website). Andreessen Horowitz is a massive firm, not some tiny website flying under the radar.
> and there was no barrier to alerting them privately via the same platform
DM would have to get picked up by their social media person next time they check Twitter, whereas a directed tweet can additionally leverage networks and be escalated by people with contacts - possibly someone could give the up-to-date engineering contact email, for instance.
Either way would have been fine, really. I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.
> I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.
You're going over things "with a fine-comb". I just wrote two sentences that made a single point.
The extent to which attempted fault-finding of someone's behavior is unwarranted is not determined by the number of words. I could complain "Why break my door when the window was open!?" to the firefighter carrying me out of a burning building in nine words.
The email the researcher found (engineering) seems more appropriate than the office info emails (menlopark-info, ...) at the bottom of the Connect page (an actual "contact" page used to exist, but is now 404 with no redirect). I don't see anything irresponsible about trying engineering then reaching out over social media.
So you’d rather researchers reach out to black hats with this information instead? Because that’s what this line of thinking leads to.
It’s in everyone’s, especially the company’s, best interests to have a bug bounty and easily accessible security hotline. Expecting researchers to jump through hoops like contacting their offices’ front desks to get to security is absurd.
> So you’d rather researchers reach out to black hats with this information instead?
That is pretty much what they did. Posting publicly about the vulnerability most certainly meant that every hacker in the world tried (and probably succeeded) at reproducing it, all before the company had enough time to act.
So you’d rather this happen? That is the question I asked.
Because this is explicitly what happens when a company doesn’t have a good process for accepting and responding to exploits.
The onus should entirely be on the company to invite researchers to find and report exploits in a responsible way. They are the ones at risk of losing millions of dollars over an exploit.
They didn't post publicly about the vulnerability; they reached out via twitter to tell them that they had one, without giving any details about it whatsoever.
Telling everyone that there's a vulnerability is usually as bad as providing detailed steps. No one was looking, and now you've pointed them in the right direction.
> They also have contact email addresses listed at the bottom of https://a16z.com/connect, which the researcher conveniently missed.
They have those now. Do we know they did when the researcher tried to reach out?
Edit: I decided to take a look at it myself. It does seem that that was available on June 3rd of this year [0]. (You'll have to look at the source since the archive doesn't do their animations.) It seems to be available on previous snapshots as well [1].
I did the same thing with OP years ago, I tried to contact in every way possible the dev team of the largest telecom company in my country.
All channels were ignored, so I have to resort to contacting our government agencies. Luckily, one agency replied to me and had one of the devs contacted me. For this hassle I was only paid $50.
You have no idea the effort we go to report this things. So I quit bug hunting after that.
I mean, a16z should be very grateful this got reported by an honest hunter regardless of the means it was reported.
I stumbled upon a big vulnerability in an unnamed Czech ministry's web apps around January. It's now July and after trying the appropriate support email, the official "snail mail but digital", and calling various people's office landlines (thankfully they publish those in the org chart), it might get fixed this month.
If there is a next time, maybe I'll try convincing the cybersecurity bureau to take my vulnerability reports instead.
I'm generally sympathetic to what you're saying, but I also detest a16z and Horowitz personally for being the epitome of "software guy decides he's expert at everything now" and his role in the crypto bubble.
Should the hacker have tried more? Sure, maybe. Do I really care? Definitely not
It's polite to say thanks if someone informs you that you accidentally left your backpack open.
But in no way you are supposed to give them anything.
Even further, some people take precious things from your backpack (trying to exploit the issue)
and then come back to you asking for money; claiming they are nice people. This is non-sense.
... Did they actually steal anything or take advantage, or just touch the bag to make sure it wasn't fake? Seems more of the latter, and your analogy falls flat when the bag carrier contains other people's pii.
Terrible analogy. This is more like someone returning your wallet full of cash, on live TV. You aren't legally obligated to give them anything, but it sure is a dick move not to and good luck getting your wallet back next time you drop it if you don't.
Because the next person will know there's a good chance you'll give them a cash reward, and that will tip the "immorally take all the cash" vs "return it and hope for a reward" balance more in favour of it being returned.
I would have thought that was completely obvious so maybe that's not what you were asking?
The places you're most likely to get your wallet back in the world are the places you're also less likely to get a reward. The reward for returning a wallet is knowing you're doing your part to make the place you live in a nice place to live.
I think A16Z and the companies they’ve funded have done a great deal of good for the world. The very web browser you’re typed your angry comment into is a technology pioneered by one of its two founders.
Being anti-VC is essential being against technological and economic progress.
It’s just that the analogy breaks down a bit. It’s fair to say a dropped wallet in a city is a one-shot game—it’s reasonable to expect neither the participants nor their acquaintances will ever encounter each other again; whereas a security vulnerability is closer to a repeated one—it’s a fairly small world. (Some kind of neighbourly behaviour would work better here, but then again, it’s more difficult to find a universal experience of that kind.) I didn’t misunderstand this, but perhaps GP did?..
You're using the wrong line of thought on the analogy here.
The value of the wallet is not the cash you'd directly lose inside of it. The value is getting your ID and cards back without them being copied by someone else, along with any other identifying information.
The value of having and up front and easy to use bug bounty system is it's easier to use then selling it off to some blackhats (hopefully). Those blackhats may otherwise scrape all your s3 buckets or somehow otherwise run up a zillion dollars of charges over a holiday with your keys.
Not when you find it on first "inspect element". That really is the equivalent of looking through someone's window and seeing their bank information and credits cards just lying in full view of anyone who'd look in.
They also have contact email addresses listed at the bottom of https://a16z.com/connect, which the researcher conveniently missed.
They were looking for clout, not responsible disclosure.