Five days after Vercel disclosed a compromise of its OAuth token-issuance pathway, the single unresolved question in the incident is whether a second customer was affected beyond the originally named Context.ai. The company's incident-status page, last updated Wednesday, says the investigation is "ongoing" and that "no additional customer tenant compromises have been confirmed." [1] The paper has read that sentence four times. It does not say what readers think it says.

"No additional confirmed" is not "no additional occurred." The posture is consistent with a security investigation that has found evidence requiring verification and is withholding language until legal review completes. It is also consistent with an investigation that has genuinely found nothing. From the outside, the two scenarios are indistinguishable — which is precisely the ambiguity the paper has tracked since Vercel's initial disclosure Sunday. [2]

The original advisory named a latent OAuth-token vulnerability dating to code changes in March, with exploitation confirmed in early April. [2] The architecture implication — that any customer whose integrations used the affected token-issuance pathway during that window is a potential compromise surface — was the piece the paper called out in Wednesday's coverage of the second OAuth vector Context.ai surfaced as March precedent. That technical frame has not been contested by Vercel. It has been left unaddressed.

The community workflow is visible. Several Vercel enterprise customers — Runway, Raycast, and Cal.com among them — posted security advisories Tuesday and Wednesday disclosing that they had rotated affected secrets and audited their own token flows as precaution. [3] None of those advisories state that a compromise occurred. They state that the possibility was sufficient to trigger rotation. In the security economy, that distinction is the difference between a P1 incident and a P2 hygiene response.

Vercel's commercial incentive is to close the incident cleanly. A second confirmed customer compromise converts the narrative from "single-tenant incident with architectural implications" to "multi-tenant breach with platform-wide liability." The first is a case study; the second is a class-action framework. Technical facts do not bend to commercial incentives, but disclosure timelines do. Customers rotating out of concern rather than out of disclosed necessity means Vercel can truthfully say no additional compromises are confirmed while the aggregate security cost to the ecosystem is already substantial.

What the paper will watch for Day Six: any named customer adding themselves to the compromise list, any updated vulnerability score from the original CVE filing, or any Vercel post-mortem timeline that addresses the March-to-April window explicitly. None of those surfaced Thursday. The absence is itself the status.

-- MAYA CALLOWAY, New York