yo, @vercel @rauchg This is awful - not the vulnerability (those happen) but your handling of it with the next.js community. Glad major platforms have mitigations in place and rolled out. While Netlify itself was not vulnerable to this, ALL platforms have had to do a fire drill

3 min read Original article ↗

yo,

@vercel@rauchg

This is awful - not the vulnerability (those happen) but your handling of it with the next.js community. Glad major platforms have mitigations in place and rolled out. While Netlify itself was not vulnerable to this, ALL platforms have had to do a fire drill late/early today to validate this, push changes, and ensure this. Any platforms that were impacted now have to spend lots of time with customers ensuring their sites were not abused through this vulnerability - including Vercel's customers. Even Cloudflare's team

@elithrar@dok2001

had to work on putting rules into place today instead of when Vercel/next knew about it?! From my perspective here, the timeline looks like the Vercel team knew about it for _at least_ 5 days and quietly pushed changes in that time to the latest versions of Next. This morning we see this advisory and it's the first time anyone from next/vercel reached out to anyone on the matter. This is a major security issue with an open source framework that you maintain and where was Vercel here? - The PRs for fixing the bugs look like maintenance not security issues - YOU HAVE DONE ZERO OUTREACH via

@vercel@nextjs

even now to customers to advocate for updating and validating their systems. - You privately hit up other platforms early this morning several hours AFTER the CVE was announced - you did put in a changelog today that talks about your firewall but this is covering your bases, not supporting the community. Even on your platform, were customers ever impacted or was there a timeline that they were? As far as I can tell - as someone with Next.js sites deployed to Vercel - no outreach has been done to confirm any of this. Maybe at the end of the month it will show up in the product emails. You've treated this thus far the same as a spelling error that you needed to fix. So this means, Vercel knew about this for 5 days and did not work with the open community about it until they had to. This hurts trust with the open source contributors to next and customers using next at all. It also increased the amount of time customers were vulnerable and the amount of auditing and research to protect customers. We need something here to believe that you're properly informing and advocating for security practices and safety for those who use this framework regardless of if they user Vercel.