Whoops I accidentally exposed all API keys ever to the public.

No really this is unacceptable for a professional, it’s even bad for an amateur.

If your processes are so insecure that a little tired breaks your whole company you done goofed.

Yes, the answer must be additional processes and procedures. That way, you’ll never make a mistake! /s

Also bizarre to frame this as “unacceptable behavior”, as if whoever is involved was in some way aware of their mistake and/or would say “this is acceptable behavior!” when confronted with it or something.

GP framed leaking all your keys at something that happens when you are tired or distracted.

This is unacceptable behaviour for a professional in my eyes.

Humans are gonna human, if you have an environment where you fail to account for this, this will happen. Reminds me of a dev dropping a production database, or the aws engineer who incorrectly entered a command and brought down s3: many things have gone wrong to even be at this point, blaming a human for behaving like a human in an inhospitable environment is silly. Effort is almost always better spent building a system which is safer to operate for the people involved.

That’s why I recommend in my original comment as well: get a better process.

The person I replied to understood it as “piling on more and more agile bs” but IMO that was just bad faith so I ignored it.

You need both - processes that are lightweight but solid where it matters - operators who give a shit

Perhaps some processes should be put into place to make exposing the entire company into a multi-step failure?

I've considered tracing outgoing responses from nginx/traefik/whatever to watch for known API keys. The difficulty would be identifying the keys amongst the noise.

Perhaps some already exist.

But if they have five security processes that each has a 99% chance of catching a bug, that's still a 1-in-10,000 chance that something will slip through. And I'd wager that a16z has more than 10,000 "components" that goes through those processes.