upvote

points

by ryanscio2 hours ago |
comments
upvoteby cowsup2 hours ago|
[-]
> Still no email blast from Vercel alerting users, which is concerning.

On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams.

But on the other hand... It's Sunday. Unless you're tuned-in to social media over the weekend, your main provider could be undergoing a meltdown while you are completely unaware. Many higher-up folks check company email over the weekend, but if they're traveling or relaxing, social media might be the furthest thing from their mind. It really bites that this is the only way to get critical information.

reply
upvoteby gk142 minutes ago|
parent|
next
[-]
> On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams

This is not how things work. In a crisis like this there is a war room with all stakeholders present. Doesn’t matter if it’s Sunday or 3am or Christmas.

And for this company specifically, Guillermo is not one to defer to comms or legal.

reply
upvoteby loloquwowndueo1 hours ago|
parent|
prev|
next
[-]
> the CEO can't just write a mass email without approval from legal or other comms teams.

They can be brought in to do their job on a Sunday for an event of this relevance. They can always take next Friday off or something.

reply
upvoteby eclipticplane1 hours ago|
parent|
prev|
next
[-]
Has anyone actually gotten an email from Vercel confirming their secrets were accessed? Right now we're all operating under the hope (?) that since we haven't (yet?) gotten an email, we're not completely hosed.
reply
upvoteby loloquwowndueo1 hours ago|
parent|
next
[-]
Hope-based security should not be a thing. Did you rotate your secrets? Did you audit your platform for weird access patterns? Don’t sit waiting for that vercel email.
reply
upvoteby eclipticplane1 hours ago|
parent|
[-]
Of course rotated. But we don't even know when the secrets were stolen vs we were told, so we're missing a ton of info needed to _fully_ triage.
reply
upvoteby ItsClo6881 hours ago|
parent|
prev|
[-]
nope...I feel u, the "Hope-based security" is exactly what Vercel is forcing on its users right now by prioritizing social media over direct notification.

If the attacker is moving with "surprising velocity," every hour of delay on an email blast is another hour the attacker has to use those potentially stolen secrets against downstream infrastructure. Using Twitter/X as a primary disclosure channel for a "sophisticated" breach is amateur hour. If legal is the bottleneck for a mass email during an active compromise, then your incident response plan is fundamentally broken.

reply
upvoteby refulgentis39 minutes ago|
parent|
prev|
[-]
I'm going down with the ship over on X.com the Everything App. There's a parcel of very important tech people that are running some playbook where posting to X.com is sufficient enough to be unimpeachable on communication, despite its rather beleaguered state and traffic.
reply