Strix’s autonomous AI hacking agent found zero tenant isolation on Schemata’s API, exposing U.S. service member records and military training materials across all tenants.
Key Takeaways
A low-privilege account was enough to enumerate the full user base, including names, emails, and military base assignments of active service members.
Hundreds of AWS S3-linked training manuals, including Army ordnance field manuals and Navy maintenance docs marked confidential, were freely accessible.
Write-enabled routes had no authorization checks, meaning any user could modify or delete courses platform-wide.
Responsible disclosure took 152 days; the CEO’s first reply accused Strix of seeking payment before any vulnerability details were shared.
Schemata holds active DoD contracts subject to DFARS 252.204-7012 and CMMC requirements for handling Controlled Unclassified Information.
Hacker News Comment Review
Commenters broadly agreed this failure pattern is common at VC-backed startups where security expertise is absent and frameworks like Vercel and Supabase lower the barrier to shipping without hardening authorization layers.
The CEO’s initial “is that the play?” response was widely criticized, though some noted that startup founders are routinely spammed by bad-faith researchers, creating a disclosure environment with poor default trust.
Independent researchers noted legal risk when probing DoD contractor systems without a bug bounty program, and questioned whether there is a safe, effective DoD contact point for unresponsive contractors.
Notable Comments
@tptacek: Notes the vuln itself is boring; the real story is security-by-obscurity on a platform holding genuinely sensitive defense data.
@codegeek: Flags the SOC2/ISO compliance question – certifications that would have missed a foundational missing authz layer entirely.
