Vercel's security advisories page on Saturday morning still carries the April 19 entry as its most recent item — the same entry the paper tracked Friday as the twelve-day silence converging with a Class Action U. solicitation. [1] Day thirteen produced no advisory update, no procurement-policy publication, no senior executive statement, and no PR-issued reassurance email to the enterprise distribution list. Class Action U.'s public solicitation page added 11 customer logos overnight, bringing the listed affected enterprise base to 47. [2]

The April 19 commitment was specific. Vercel's interim CEO Guillermo Rauch wrote in a customer-distribution email that the company would "publish a comprehensive vendor and OAuth scope-review policy update within the next 14 days, with timelines for credential rotation and customer-facing changes." [3] That window closed Friday May 2. The morning email — sent at 6:14 a.m. Pacific to security-operations contacts at the top 200 enterprise customers, per the screenshot circulating on Bluesky — referenced only the original April 19 advisory and contained no policy attachment, no rotation timeline, and no acknowledgment of the missed deadline. [4]

Class Action U.'s solicitation page is the litigation-side artifact. The site, run by the Cohen Milstein-affiliated plaintiffs' bureau, lists 47 named enterprise customers as "potentially affected by the April 17 Vercel security incident" and invites general counsel offices to register interest in a coordinated representation matter. [2] The page does not yet name a filed complaint. The standard Cohen Milstein practice — class-action solicitation as filed-complaint precursor by 30-60 days — puts a probable filing window in late May or early June if the policy update does not change the calculus.

The procurement story is what the silence has produced. Three Fortune 500 customers have, since the April 17 disclosure, suspended their Vercel deployments pending policy clarity: Boeing's developer-platform team confirmed the suspension on a quarterly earnings call Tuesday, JPMorgan Chase's chief information security officer's office confirmed in a Bloomberg interview Wednesday, and a third — Lockheed Martin, which the paper has confirmed through three separate sources — has not gone public. [5][6] None of the three has terminated their contract; all three have moved active OAuth-issued tokens out of the Vercel platform pending what Boeing's CISO Jim Mann called "the level of post-incident hygiene the breach disclosure should have produced."

The vendor-policy update has been the binding deliverable Rauch named. Whether the silence is administrative — the policy is in legal review at Wilson Sonsini, the bureau Vercel hired April 22 — or strategic — the policy will not be published until after the threat-actor data sale is resolved — is the open question. The threat-actor side has its own clock. ShinyHunters' April 22 listing on the BreachForums marketplace, asking $2 million for "Vercel internal data," has not produced a confirmed sale; the listing's "negotiating" status was unchanged Friday, per the Have I Been Pwned monitoring feed. [7]

The two clocks may be linked. If the data sells, Vercel's incident response materially changes — the company moves from "credential-rotation" mode to "customer-by-customer disclosure" mode under California and EU breach-notification law. Publishing a procurement policy in that posture risks being overtaken by events; not publishing risks the class-action filing. The silence is, in this read, a calculated wait for one of the two clocks to break first.

The class-action precedent is not friendly to silence. The Okta breach response in October 2023 — which used a similar 14-day silence pattern — produced filed complaints in three federal districts within 21 days of the disclosure window's close. The Twilio Authy breach in July 2024 produced filed complaints within 18 days. Vercel's window closed Friday. The standard 18-21-day fuse runs to roughly May 20-24. The Class Action U. solicitation is the leading indicator.

The customers waiting for the policy are reading the silence as the policy. That is the procurement-policy update Vercel did publish on Friday: nothing.

-- THEO KAPLAN, San Francisco