It's pretty shocking how many commenters are blaming the individual for not "trying harder" to find contact information. It's pretty clear a16z didn't want to pay anything or appreciate the disclosure at all.
Finding random email addresses and sending them a notice would have gone no where other than spam folders. I get dozens of "disclosures" every week from mostly script kiddies that think my DKIM setting is somehow going to be the end of my business. My brain automatically ignores emails like it.
Iām surprised there is almost no discussion about the severity of reputational damage caused by an extremely amateur bug not expected of a prominent VC firm
Yes... In my mind, there are three kinds of security bugs.
1. Caused by pure ignorance and completely avoidable (this bug).
2. Caused by subtle configurations, workflows, programming (mostly avoidable, secret scanning, security linters, code reviews, general intelligence, etc). This is where 99% of security bugs are.
3. Caused by a malicious actor aligning planets with a single intent to maximize their cause. You'll never stop these people (three letter agencies, state actors).
Probably because a16z reputation has already been quite tarnished in recent years. This is par for the course. People will still take their massive bags of money and name brand boost but "these are smart, technical, 'making the world a better place' visionaries" as opposed to wealth chasing bankers, has already run the gamut.
See crypto, Clubhouse, "it's time to build [not in my Atherton neighborhood]", e/acc Nick Land manifesto, Trump '24 support, etc.
Finding random email addresses and sending them a notice would have gone no where other than spam folders. I get dozens of "disclosures" every week from mostly script kiddies that think my DKIM setting is somehow going to be the end of my business. My brain automatically ignores emails like it.