> It’s obviously not safe to publicly announce the existence of a security vulnerability
Publicly showing the vulnerability would have been unsafe, but I don't think there's much harm in asking to get in touch about an unspecified security issue (not even saying that it's a vulnerability in their website). Andreessen Horowitz is a massive firm, not some tiny website flying under the radar.
> and there was no barrier to alerting them privately via the same platform
DM would have to get picked up by their social media person next time they check Twitter, whereas a directed tweet can additionally leverage networks and be escalated by people with contacts - possibly someone could give the up-to-date engineering contact email, for instance.
Either way would have been fine, really. I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.
> I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.
You're going over things "with a fine-comb". I just wrote two sentences that made a single point.
The extent to which attempted fault-finding of someone's behavior is unwarranted is not determined by the number of words. I could complain "Why break my door when the window was open!?" to the firefighter carrying me out of a burning building in nine words.
Publicly showing the vulnerability would have been unsafe, but I don't think there's much harm in asking to get in touch about an unspecified security issue (not even saying that it's a vulnerability in their website). Andreessen Horowitz is a massive firm, not some tiny website flying under the radar.
> and there was no barrier to alerting them privately via the same platform
DM would have to get picked up by their social media person next time they check Twitter, whereas a directed tweet can additionally leverage networks and be escalated by people with contacts - possibly someone could give the up-to-date engineering contact email, for instance.
Either way would have been fine, really. I feel we're going over the actions of an individual researcher with a fine-comb, searching for any hint that there was an arguably better course of action, when there are multiple huge obvious mistakes from a16z.