Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
One of the most influential venture capital companies in Silicon Valley with assets worth $ 42 billion threw a researcher, refusing to pay a reward for discovering a bug in its web application.
On June 30, a researcher with the nickname xyzeva wrote to X that she was looking for a representative of a16z with the intention of discussing the security issue.
As it turned out, xyzeva found a really simple and at the same time serious error that opened access to everything on the a16z company portal.
The problem was related to public API keys on the site, which allowed a potential attacker to get hold of email addresses and passwords, as well as company and employee data.
In addition, the vulnerability allowed sending emails on behalf of a16z and accessing previously sent emails from the company's account using Mailgun.
And officially, the director of information security, Brian Green, officially confirmed: the company fixed the error on the same day when xyzeva rolled out the post and contacted the company, assuring that the problem did not affect any confidential data.
However, when it came to remuneration, the company's statements about its commitment to cooperation in matters of ethical disclosure of information changed dramatically.
For refusing to pay, a16z found two formal complaints at once, reproaching the researcher for publicizing the problem and describing it incorrectly.
As they say, nothing personal, just business.
On June 30, a researcher with the nickname xyzeva wrote to X that she was looking for a representative of a16z with the intention of discussing the security issue.
As it turned out, xyzeva found a really simple and at the same time serious error that opened access to everything on the a16z company portal.
The problem was related to public API keys on the site, which allowed a potential attacker to get hold of email addresses and passwords, as well as company and employee data.
In addition, the vulnerability allowed sending emails on behalf of a16z and accessing previously sent emails from the company's account using Mailgun.
And officially, the director of information security, Brian Green, officially confirmed: the company fixed the error on the same day when xyzeva rolled out the post and contacted the company, assuring that the problem did not affect any confidential data.
However, when it came to remuneration, the company's statements about its commitment to cooperation in matters of ethical disclosure of information changed dramatically.
For refusing to pay, a16z found two formal complaints at once, reproaching the researcher for publicizing the problem and describing it incorrectly.
As they say, nothing personal, just business.
