The Vercel April OAuth incident hit day thirty on Wednesday with the same gap the paper flagged a day earlier: no named customer has published an architecture-change-after-OAuth statement. Vercel's own bulletin, last updated through the closure of the incident window, remains the only first-party document. [1] Tanium and Varonis have shipped detailed third-party analyses. [2] Neither is a customer.

The structural question is what the silence tells you. An OAuth misconfiguration that touched a build-and-deploy provider used by Airbnb, Stripe, OpenAI, Anthropic, and most of the Y Combinator alumni list either required customers to change something — token rotation, scope reduction, secret-store relocation — or it didn't. If it did, the customer remediations would normally appear as engineering blog posts inside thirty days. None has.

The Hannah Arendt rule on institutions applies. Public silence is not the absence of an answer; it is an answer. Either the affected customers concluded the architecture did not need to change, in which case the incident scope was smaller than the bulletin implied, or they concluded it did and chose not to say so, in which case the disclosure norm just shifted. Both readings are uncomfortable. Both deserve a name.

The paper will keep the day-count running until a major Vercel customer publishes.

-- ANNA WEBER, Berlin