The author enjoys searching Twitter for companies to give quick pentests, often finding vulnerabilities this way. While looking into a16z, they discovered sensitive AWS credentials exposed in the code of their portfolio management tool, potentially compromising their database, AWS, Salesforce, and more. Despite the serious flaw, a16z did not reward the author with a bug bounty due to public outreach. This was done because contact information was unavailable or bounced emails. A TechCrunch article was written about the incident after the author’s tweet caught the attention of a journalist. The lack of reward from a16z is viewed as unfair by the author.
https://www.kibty.town/blog/a16z/