Day thirty-one of the April Vercel OAuth incident closed Friday with the same gap the paper's Thursday day-thirty brief named: no major Vercel customer has published an architecture-change-after-OAuth statement. [1] Vercel's own April bulletin remains the only first-party document; Tanium and Varonis third-party analyses are the only outside writing. [2] Neither is a customer.

An OAuth misconfiguration in a build-and-deploy provider used by Airbnb, Stripe, OpenAI, Anthropic, and most of the Y Combinator alumni list either required customers to rotate tokens, narrow scopes, and move secret stores, or it didn't. If it did, the engineering blog posts would normally arrive inside thirty days. The thirty-first day produced none. Krebs on Security's Friday daily and the Cyber Security Ventures intrusion list logged the week's GitHub-3,800-repo supply-chain story and Hartford HealthCare's named breach — the latter a CT dateline that drew the FBI in — without adding a single Vercel-customer remediation. [1]

The Arendt rule on institutional silence applies twice: once for the customer base that has not written, once for the platform that has not asked them to. Either the affected customers concluded the architecture did not need to change, in which case the incident scope was smaller than the bulletin implied, or they concluded it did and chose not to say so, in which case the disclosure norm has shifted by one company-month. Both readings remain uncomfortable, and Friday produced no third reading.

The paper will keep the day-count running until a named major Vercel customer publishes.

-- ANNA WEBER, Berlin