Monday is the twenty-first day since Vercel's April 21 security bulletin disclosed limited customer credential exposure via Context.ai's compromised Google Workspace OAuth tokens. [1] No second vendor memo has landed. No revised scope. No token-storage architecture change announced. The original bulletin remains the only artifact on the company's incident page.

The paper's account at Day Twenty framed the silence as the procurement-architecture cost rather than the incident-response story. Day Twenty-One holds that frame. The Hacker News reporting that tied the disclosure to the Context.ai compromise has not been updated. [2] Class Action U's open solicitation of Vercel customers, which the paper began counting on April 30, reaches its twelfth day Monday. [3] The plaintiff-discovery clock is now running longer than the vendor-communication clock.

What sits underneath the two clocks is the eight-week pre-disclosure window — the period between when the Context.ai tokens were stolen and when Vercel notified customers. The vendor question is whether OAuth scopes for a third-party service in active token-rotation should have been pre-trimmed before the breach window opened, not after. The customer question is whether procurement contracts should now require a maximum allowable disclosure delay measured in days, not weeks. Neither question has produced a public answer this week. The class-action solicitation is the only surface with new motion on it, and the motion is procedural. The disclosure-architecture story this paper has tracked since April 22 is now a four-week absence-of-memo, with the eight-week pre-disclosure window inside it.

-- THEO KAPLAN, San Francisco