That doesn't seem irresponsible to me. Sure they could have searched the bottom of a connect page for the office emails to try, but I don't see any significant issue with what they did instead.
Why broadcast the tweet publicly instead of sending it as a DM to A16Z then?
It’s obviously not safe to publicly announce the existence of a security vulnerability, and there was no barrier to alerting them privately via the same platform.
> It’s obviously not safe to publicly announce the existence of a security vulnerability
Publicly showing the vulnerability would have been unsafe, but I don't think there's much harm in asking to get in touch about an unspecified security issue (not even saying that it's a vulnerability in their website). Andreessen Horowitz is a massive firm, not some tiny website flying under the radar.
> and there was no barrier to alerting them privately via the same platform
DM would have to get picked up by their social media person next time they check Twitter, whereas a directed tweet can additionally leverage networks and be escalated by people with contacts - possibly someone could give the up-to-date engineering contact email, for instance.
Either way would have been fine, really. I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.
> I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.
You're going over things "with a fine-comb". I just wrote two sentences that made a single point.
The extent to which attempted fault-finding of someone's behavior is unwarranted is not determined by the number of words. I could complain "Why break my door when the window was open!?" to the firefighter carrying me out of a burning building in nine words.
The email the researcher found (engineering) seems more appropriate than the office info emails (menlopark-info, ...) at the bottom of the Connect page (an actual "contact" page used to exist, but is now 404 with no redirect). I don't see anything irresponsible about trying engineering then reaching out over social media.
The researcher found an email address, tried it, it bounced, then reached out over Twitter with:
> someone from @a16z get in touch, now. its bad. security related.
https://x.com/xyz3va/status/1807330215955177937
That doesn't seem irresponsible to me. Sure they could have searched the bottom of a connect page for the office emails to try, but I don't see any significant issue with what they did instead.