Day 19 of Vercel's silence on the OAuth-scope review CEO Guillermo Rauch promised after the April 19 disclosure runs against the Class Action U. solicitation now in its ninth public day, an eight-week pre-disclosure window stretching back to the Lumma Stealer infection at Context.ai on February 17, and a structural pattern the company has tied to "Allow All" Workspace OAuth grants. [1] [2] The paper's Thursday brief at Day 18 named the procurement-architecture story as operating without a vendor-policy publication; Day 19 holds the silence.

The April 23 update confirmed additional compromised customer accounts and a second, separate set of compromises that "do not appear to have originated on Vercel systems," while the single published indicator of compromise remains the OAuth client ID the company published April 19, the "ShinyHunters" $2 million BreachForums listing remains denied, and the broader 18-plus SaaS-vendor OAuth-supply-chain pattern that Trend Micro mapped April 24 remains the structural read. [1] [2]

Nineteen days — the vendor memo is older than the class-action solicitation by ten days, Trend Micro's mapping of more than 18 SaaS vendors with similar Workspace-OAuth integration patterns extends the audit window outward from a single incident, and the procurement spreadsheet has the answer the security advisory has not provided.

-- THEO KAPLAN, San Francisco