**A Vulnerability in a16z’s Web App Exposed Data on Portfolio Companies**
In late June, a security researcher discovered a vulnerability in the web app used by a16z, one of Silicon Valley’s most influential venture capital firms. The researcher, known as xyzeva, took to social media platform X to express her concern about the security issue she had found. She hinted that the bug was serious and urged someone from a16z to get in touch with her.
When TechCrunch reached out to xyzeva, she described the bug as a “really simple bug” that granted access to everything on a16z’s portfolio portal. She explained that she had discovered exposed API keys on the site portfolio.a16z.com. Through this vulnerability, she gained access to sensitive information such as emails, passwords, company details, and employee information. Furthermore, she could have sent emails on behalf of a16z and accessed previous emails sent by the company via Mailgun, an email delivery service.
a16z’s Chief Information Security Officer, Bryan Green, confirmed that the bug was fixed on the same day xyzeva posted about it and reached out to the company. However, Green stated that the bug did not compromise any sensitive data. He explained that the misconfiguration in the web app was related to updating publicly available information on the company’s website, such as company logos and social media profiles.
**Lack of Bug Bounty Program Raises Questions**
During a conversation with a16z about a potential bug bounty program, xyzeva was informed that the firm did not currently provide one. However, an employee expressed willingness to set up a program specifically for her case once the analysis was complete.
However, days later, the employee informed xyzeva that there were obstacles preventing the establishment of a bug bounty program. The first obstacle was the public disclosure of the issue by xyzeva, which increased the risk of potential attackers scanning their sites for vulnerabilities. The employee stated that this method of disclosure was not in line with the standard practice for vulnerability disclosures. The second obstacle was the follow-up post by xyzeva, which inaccurately described “full access to basically everything” and promised a write-up. This raised concerns about xyzeva’s intentions.
**The Future of a16z’s Web App**
The portal where xyzeva discovered the vulnerability is currently unavailable, with a message stating that the application is being deprecated. This suggests that a16z is working on improving the security of their web app or may be transitioning to a new system altogether.
**a16z’s Noteworthy Investments and Political Support**
Over the years, a16z has made significant investments in well-known companies such as Airbnb, Coinbase, Instacart, Lyft, and Slack, among others. The firm’s founders, Marc Andreesen and Ben Horowitz, have recently declared their support for Donald Trump in the upcoming presidential elections.
Despite the security incident, a16z remains committed to collaborating with the security community on ethical disclosures and resolving any vulnerabilities responsibly.