Stuff like this is what gives the entire security and white hat community a bad name.
1. "Surprise pentests" are illegal in the US and pretty much every jurisdiction in the world. If you are actively breaking into websites without a prior agreement, you are not doing anyone a favor. Save your efforts for companies that actually want you.
2. If the company doesn't have a published bug bounty program, they don't owe you anything. Yes they can still be nice and pay you, but they definitely won't if you disclose the vulnerability to the rest of the world without giving them a heads up and enough time to fix it.
3. "Oh I couldn't find an email address" is the worst excuse in the world. I found one after exactly 5 seconds of Googling (at the bottom of https://a16z.com/connect). And even otherwise there's Twitter, Instagram, LinkedIn and a hundred other ways to reach someone at the company if you really want to.
This is classic case of clout chasing over responsible disclosure.
"i like to do this thing where i search twitter, looking for companies, and then try giving them a quick pentest"
"the compromised list of services: their database (containing PII), their AWS, their salesforce (never checked, account may be limited), mailgun (arbitrary emails from a16z domains, and also could read older emails)
... and probably more"
By their own admission, this is a "pentest", and they were able to access a16z's "database" and ascertain that it contains PII. Amongst other services used by a16z.
I'm not the one to judge whether they crossed any legal (or moral) lines though.
1. "Surprise pentests" are illegal in the US and pretty much every jurisdiction in the world. If you are actively breaking into websites without a prior agreement, you are not doing anyone a favor. Save your efforts for companies that actually want you.
2. If the company doesn't have a published bug bounty program, they don't owe you anything. Yes they can still be nice and pay you, but they definitely won't if you disclose the vulnerability to the rest of the world without giving them a heads up and enough time to fix it.
3. "Oh I couldn't find an email address" is the worst excuse in the world. I found one after exactly 5 seconds of Googling (at the bottom of https://a16z.com/connect). And even otherwise there's Twitter, Instagram, LinkedIn and a hundred other ways to reach someone at the company if you really want to.
This is classic case of clout chasing over responsible disclosure.