I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"
I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".
I have a pre-written reply for these kinds of messages now.
Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.
I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.
Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
Initial take: as vulnerability stories go, this is a pretty boring one; what they have here is a target that was secured largely by the fact that few people knew about it. The most work done in this blog post is establishing that a training platform deployed by DoD might be much more sensitive than the same kinds of applications which are ubiquitous throughout corporate America and which are generally boring targets.
The vulnerability itself appears to be something anyone with mitmproxy would have spotted within minutes of looking at the platform; apparently, rotating object IDs worked everywhere in the app, and there was no meaningful authz.
It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.
"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."
Let me guess though. They are SOC2 and ISO compliant right ?
I wonder if this is how Handala group recently stole the list of service members.
How do people find these vulnerabilities within the immense scope of the whole internet? Are they going around with some kind of generic API scanner that discovers APIs?
Andreessen-Horowitz, who most people (and they themselves) refer to as a16z and have the eponymous domain name (a16z.com). They're one of the top VC firms on the planet -- exceedingly relevant to HN audiences and commonly discussed here.
> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z
Yes. I know Andreessen-Horowitz and I don’t know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.
> Their website is literally a16z.com
I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)
I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.
I didn't either. This is an ancient debate that can never be resolved completely, though — because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.
> Their initial reply from the CEO: "I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?"
Well that’s pretty damning.
I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"
I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".
I have a pre-written reply for these kinds of messages now.
Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.
I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.
From the looks of it, they actually asked for a way to report.
email security@company
Yeah. I'm just saying how it could have been overlooked. Doesn't excuse it, though.
They could sell the next one to an adversary for a lot more money if they're going to act like that.
Yes, there are also many other lucrative illegal activities.
Isn't it also illegal to withhold knowledge of a vulnerability for payment? It sounds like it should fall under some variety of blackmail.
Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
LOL
Initial take: as vulnerability stories go, this is a pretty boring one; what they have here is a target that was secured largely by the fact that few people knew about it. The most work done in this blog post is establishing that a training platform deployed by DoD might be much more sensitive than the same kinds of applications which are ubiquitous throughout corporate America and which are generally boring targets.
The vulnerability itself appears to be something anyone with mitmproxy would have spotted within minutes of looking at the platform; apparently, rotating object IDs worked everywhere in the app, and there was no meaningful authz.
It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.
"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."
Let me guess though. They are SOC2 and ISO compliant right ?
a16z = "Andreessen Horowitz", for those not in the know. (The acronym is not expanded in the article. EDIT: OP has fixed the article.)
fixed now
Thanks! Happy to have my comment hidden by the mods if they get around to it.
appreciate the feedback!!
I wonder if this is how Handala group recently stole the list of service members.
How do people find these vulnerabilities within the immense scope of the whole internet? Are they going around with some kind of generic API scanner that discovers APIs?
Yikes, Schemata and that delinquent CEO should be held accountable.
https://x.com/strix_ai/status/2051361018450948511
Would it be possible to stop using aXXb nomenclature within the titles? Some of us aren't hip enough to know what all of them mean.
Andreessen-Horowitz, who most people (and they themselves) refer to as a16z and have the eponymous domain name (a16z.com). They're one of the top VC firms on the planet -- exceedingly relevant to HN audiences and commonly discussed here.
> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z
Yes. I know Andreessen-Horowitz and I don’t know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.
> Their website is literally a16z.com
I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)
> exceedingly relevant for the HN audience
We contain multitudes.
They just want to sound technical.
I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.
Opposite for me, I've seen a16z tons of time on HN, and also the domain where sometimes, but the full name would have meant nothing to me.
I didn't either. This is an ancient debate that can never be resolved completely, though — because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.
apologies, just a vc firm
The guidelines require using the same title on HN as is on the original post.
oh apologies, thanks for the reminder
Even when the author submits? :)
Yes... unless we think it's fine to tailor a title to activate a particular reaction from the HN audience :)