[bobfunk]

Netlify CEO here.

Our support team has reached out to the user from the thread to let them know they're not getting charged for this.

It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

Apologies that this didn't come through in the initial support reply.

[jotaen]

One additional feedback, for consideration: to me, your Pricing page[1] doesn’t make it sufficiently clear that the “Starter” plan may incur costs at all (let alone in this ballpark). It’s now more apparent when looking at it in hindsight, but you have to either read very carefully, or go to the separate “View Features” page to understand this.

“0$ to get started, then pay as you go” reads to me: “0$ to get started, and then you can order add-ons and extra features as you need them”, not “$0 to get started, but we may start charging you virtually unlimited amounts at any point without prior notice”.

When signing up for the “Starter” tier initially, I completely misunderstood this. I didn’t have to enter any credit card or invoice details, so I thought as long as you don’t have that info from me, you can’t and won’t bill anything.

[1]: https://www.netlify.com/pricing/

[mathgradthrow]

How on earth could I, as a customer, be sure that netlify hadn't paid someone to DDOS me? If I were in charge of a business like that, I would have that thought constantly...

[rpgwaiter]

Why go through that effort when they could just lie about site usage and say you incurred a bunch of traffic? Or make fake site "hits" from localhost?

It's really the trade-off for using any cloud host. You are implicitly trusting the host, their monitoring tools, their billing system, and their customer support when things go wrong

[Cthulhu_]

Both of those could be exposed via an audit or a whistleblower, either of which would destroy the company and its reputation overnight.

[evilduck]

As opposed to just negligently allowing it from the outside?

Netlify still looks terrible here.

[natnat]

This is insane conspiratorial thinking? How would being the only host that happens to get DDOSed constantly be a good business proposition?

[cookiemonsieur]

If you charge them for the extra bandwidth usage, it is. Not saying it's morally right, but definitely something a shady business would do. There's nothing "conspiratorial" about that. You'd be surprised how many conflicts of interest Big Gov and Big Business find themselves in.

[xatax]

> 0$ to get started, then pay as you go” reads to me: “0$ to get started, and then you can order add-ons and extra features as you need them

I think I disagree with this, but maybe I'm misunderstanding you.

Pay as you go sounds strongly to me that you pay based on your actual usage, not that it's free except for add-ons. A pay as you go phone, for example, does not imply you need to buy a telephony add-on, an SMS add-on, etc.

PAYG phones, however, were always prepaid, so I think I would expect PAYG hosting to be similar. That said, if my site was publicly accessible without my prepayment, I think it would be clear that it works the way it apparently does.

It's potentially misleading, but I don't think it's intentionally dishonest.

[remram]

> you pay based on your actual usage

The disagreement is on what "usage" means. I wouldn't assume that "usage" includes things that don't take any action on my part.

If I don't use my phone, for example, I wouldn't get any "usage". A phone pay-as-you-go plan would probably trigger similar outrage if they charged you potentially unlimited amounts for phone calls that hit your voicemail overnight.

[Ferret7446]

Do you know how web hosting works? You pay for a service so other people can use it. Extending the phone analogy, it is like you set up a public phone that anyone can use, and you pay for every time someone uses it.

[remram]

Your analogy break down because no part of buying and setting up a phone yourself is free. If some company offers to set up a public phone "for free" in your neighborhood, and charge you for "usage", you wouldn't expect to be charged if you don't place calls.

The "do you know how it works" is completely unnecessary and rude.

[jotaen]

> It's potentially misleading, but I don't think it's intentionally dishonest.

That’s my interpretation as well.

The usage of the term “add-on” is not clear here in my opinion. On their main pricing page[1], Netlify currently lists “Additional bandwidth” as “Add-on”. To me, that sounds like “I can actively order additional bandwidth in case the included bandwidth isn’t enough.” Not: “Additional bandwidth is automatically allocated and charged for as it happens to occur.”

In addition to that, there is a big bold “$0” at the top of the “Starter” plan.

[1]: https://www.netlify.com/pricing/

[ornornor]

That was my understanding as well, since I signed up for MetLife years ago up until this very moment.

[aurareturn]

There are only two questions everyone have:

1. Would Netlify forgive the bill if this didn't go viral?

2. How do you plan to address this issue so that it never happens again?

Everyone here knew someone from Netlify would come and say OP wouldn't have to pay. That was a given. Now we want to know the important answers.

[bobfunk]

1. Yes. We've forgiven lots and lots of bills over the last 9 years and they haven't gone viral

2. While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages

[noir_lord]

Any cloud platform should have a spend-stop amount built in.

i.e. if I know I average $10 a day, I should be able to put in a "If it hits $50, email me and take it offline".

Of course the opposite problem is then people setting that limit too low but since the user defines the limit that's on them not you.

This is one of the reasons I still in 2024 rent physical boxes and run the modern stuff on top of them directly, yes it costs me more per month but the price is hard capped.

[kej]

This is something I really like about Nearly Free Speech.net. Their model is that you deposit funds up front, and they will deduct from those funds as you use services. It helps that they actually are nearly free so that a single $20 deposit can last for months or years in many cases.

It's bizarre to me that more services don't support billing this way, since there are tons of situations where I would much rather have a site or service go down than be hit with a surprise bill and have to depend on social media and magnanimous corporate PR.

[nazka]

Yes it’s nice like that. Specially for side projects on AWS that could go wrong on your personal credit card. Also I heard they forgave bills sometimes.

[pierat]

Amazon will, but they also gauge their discount in how many prevention and security measures from their 5 Pillars you follow in your environment.

You can do stuff like "disallow any of these instances to be used in your env", so if you never use graphics cards, disallow the whole class.

You can also set limits like "no more than 20x m5.4xlarge".

But again, AWS is the worst about no actual hard limits, cause each system generates bills. Ive also seen the hell of "hidden system AWS Billing doesnt have is still submitting billing and we dont know what it is". Again, AWS enables basically infinite liability.

Ive also discussed with C levels that "every engineer and dev with AWS logins have an unlimited credit card to of which you're on the hook for". Lets just say that 'heartburn' doesnt even begin to describe the terror on their faces.

[GirkovArpa]

Yes. Back around 2020 they forgave me a $1000 bill for a side project I thought was running on a free tier.

[mdekkers]

I absolutely love NFS and pay for the support option even though I don’t need it, simply to support them. Everything about that service is simply ace.

[bradly]

A couple years ago I switched from a standard, contract-based US cell phone plan to a prepaid service it has felt so much more natural. Have a messed up my autopay and my phone just stop working in the middle of the day? Yep. But You just find some WIFI, pay, and its back on in minutes. I know exactly what my service costs: $35 dollars. No fees, taxes.

[w0m]

> Have a messed up my autopay

I stopped ~all autopays when (Boost Mobile?) deduced 200 instead of 20usd from my debit account one month in college. They refunded the difference relatively quickly, but I racked up 5 or 6 overcharge fees before realizing; ended up being a pita for an already broke 18 y/o to figure out.

I was a broke and stupid kid. Never use a debit as an autopay. But since then I like to track where each penny goes as it goes.

[remram]

That sounds awful and it's not even cheap!

[colecut]

I think for this purpose you could use something like privacy.com, generate a virtual credit card, and set a monthly limit on it. This way you don't have to deposit any money in advance.

[raiyu]

We did this at DigitalOcean for similar reasons, wasn't a feature that was commonly used. Additionally, when you set that limit people then get upset because usually when they go over it for a good reason, like going viral, they aren't anticipating it, and just when their traffic is most valuable the site is down.

What Netlify is doing here is really the best approach for both parties. And typically speaking a $104k bill would be hard to get paid up regardless if the customer's typical transaction balance was $5/mo and their credit card limit wouldn't be that high.

Also, that's the benefits of credit cards - that you can still issue a charge back, and credit card companies very much favor the consumer rather than the merchant.

[noir_lord]

> Also, that's the benefits of credit cards - that you can still issue a charge back, and credit card companies very much favor the consumer rather than the merchant.

So your suggestion is to issue a chargeback.. to get money back that should under the terms of whatever service you signed up for be owed?.

That seems like bordering on fraud tbh.

> Additionally, when you set that limit people then get upset because usually when they go over it for a good reason, like going viral, they aren't anticipating it, and just when their traffic is most valuable the site is down.

Legit concern and something I mentioned, I'm gonna guess there are broad two camps on that one - mine which is "I want a safety ripcord" and "whee, nice problem to have".

However since this entire conversation is around a guy who got a massive invoice because of a bill he wasn't expecting and couldn't have set such a limit I'm still gonna go with a "I want a way to constrain the financial downside - hell turn it off by default but give me the option".

Since broadly a lot of cloud stuff doesn't, I'll constrain it a different way.

[kuboble]

So is the solution to have two thresholds? Notify me urgently if the traffic exceeds 100$, giving me a chance to evaluate what's going on but shut it down at 1000$ if I don't act.

[mattferderer]

> So your suggestion is to issue a chargeback.. to get money back that should under the terms of whatever service you signed up for be owed?.

Funny story... One of the big cloud providers actually has you do that on purpose as a remedy for an account you've lost access to.

[jedberg]

> Also, that's the benefits of credit cards - that you can still issue a charge back, and credit card companies very much favor the consumer rather than the merchant.

That has not been my experience. I've had to do a few chargebacks for services not rendered, and I've never won. I will submit my evidence, then the vendor will submit 100 pages of random emails, and then I will have my claim denied. Then I will appeal, will point out that they sent 100 random pages of email, and then they will reply with the same 100 pages of emails and I'll get denied again.

It seems that the vendors have found the hack for chargebacks -- just inundate the credit card company with so much data that they assume the vendor must be right.

It makes sense -- the vendors pay the credit card companies a lot more than I do. They'd rather keep them happy than me.

[jokethrowaway]

As a seller I have the opposite experience.

Plenty of morons just use the service and chargeback right before renewal so they got the service for free, some just chargeback instead of cancelling their plan or asking a refund. I get hit with 15$ bill plus I lose all the money even if I provided the service.

Whatever email / data from my system I send is ignored and the scammer / moron gets his money back.

I'm sure that's how it works if the vendor is large enough.

If you are a small fish you don't stand a chance, which is why for my next project (where I'm supposed to charge a lot and spend a lot on behalf of the user - and I'll be royally screwed if I start getting chargebacks on 500$ of which I've already spent 450$) I'll just accept crypto payments.

[sokoloff]

That's strange. I think I've done about 10 chargebacks over 35 years. All but one I "won" with just an initial submission and waiting. One my card company came back to me for additional details before also siding with me.

[aurareturn]

  Additionally, when you set that limit people then get upset because usually when they go over it for a good reason, like going viral, they aren't anticipating it, and just when their traffic is most valuable the site is down.

But that's on the user. The user shouldn't get upset in that scenario and has no right to. You're giving the control back to the user.

[conductr]

How about just fix the pricing formula to account for massive surges.

Instead of forcing user to set a low cost limit and missing a viral opportunity or the platform writing off the massive bill the customer can't afford... just put the billing mode into a reduced price mode or have some more nuanced configurations. Sometimes is just asking the question the right way. Instead of "max spend limit" or similar "If your site goes viral, how many requests do you want to serve before going offline? 1M=$20, 10M=$100, etc" at this point, I feel like bandwidth consumption is a bad metric for billing; just use requests/visits/actions and price for those.

This is not prescriptive just illustrative. The point is make a better pricing formula to account for these massively unexpected events. Couple it with an aggressive notification policy when this traffic event gets triggered. The user should know the traffic pattern has changed and a high traffic event is happening. They can login and change the configs and decide if they want to keep it going or not.

[gwright]

> But that's on the user. The user shouldn't get upset in that scenario and has no right to.

I agree. I also agree that when dealing with large numbers of people, there will be people who don't understand this and/or will actively try to social engineer their way out of their own decisions.

Setting customer expectations and meeting them successfully isn't easy.

[typon]

The infantilization of the user is common in tech now. For good reasons? Maybe. But it is common.

[ohnoitsahuman]

A debt is still a debt even charged back.

There would be many attorneys interested in collecting a $105k debt.

[quickthrower2]

Yes if a corporation says I owe them $100k I will lose sleep. Even if they don’t have my card details.

[safety1st]

No, not really. Not really what attorneys do. There might be collections agencies interested in recovering the debt, but if it's some rando guy who doesn't have the money, even that is open to debate.

I mean I'm not familiar with every debt collection scenario under the sun but Internet randos seem to think this is a real thing where like a cloud/hosting company sends an army of lawyers to repo some guy's house and runs him into bankruptcy because of a traffic overage. I've never seen it work that way, what happens like with most business debts, is someone at the company negotiates with the debtor to try and get as much out of them as they can, and failing that, possibly refers it to a collections agency which does the same but plays a bit more hardball.

In the case here with Netlify even before it went viral they reduced the amount from $104K to $5K, no lawyers, collectors or repo men involved, and while I'd hate to be stuck with that $5K bill, I dunno, that does feel closer to the mark of something that maybe you should be on the hook for if you're responsible for 200 TB of bandwidth overage over 4 days? Is this so bad on the part of Netlify?

All that said I'll just add that I've never given my credit card to any sort of host/cloud who had terms where they could bill unlimited overage fees like this. Never will unless there's a cap. Not Netlify not AWS not nobody. That goes for my personal life as well as for the business I operate. The terms is the terms and the answer is to not use these services unless you can afford them imho.

[ahmedfromtunis]

Here's an idea: let users set a spending limit.

If they're about to go over, shoot them a quick heads-up and give them 24 hours to sort things out or level up their package.

After that, if they haven't made any changes, temporarily pause their site access

[skeeter2020]

AWS budgets are good for the first part, but they have no interest in a hard cap for obvious reasons.

[brnt]

That sort of adversarial weaponization of credit cards is really a US thing. In most of the world, payment is not relevant to the question of liability: you create a debt, whether or not you can debit a card. So, looks like DigitalOcean is another name to avoid.

Also: what's common? At the scale these companies so desire, small percentages are still thousands of users. Supporting them with what's ultimately a fairly trivial option shouldn't be seen as such a hassle.

[croemer]

Partially agree, yes the liability is independent of the payment. But in practice the one who has the money has the benefit of the status quo. The other party without money has to actively take legal action which is costly enough that it's often not pursued.

[benterix]

Just want to chime in:

1) Thank you for allowing us to set the limit.

2) I understand your opinion that you prefer chargebacks but I disagree with it.

The very reason I stay with Hetzner is that I know in advance what my bills will be for the whole year. Heck, I even charge my account in advance so that I don't worry about any charges!

[charcircuit]

>that you can still issue a charge back

Most users don't want to be banned from their hosting provider.

[nico]

> usually when they go over it for a good reason, like going viral, they aren't anticipating it, and just when their traffic is most valuable the site is down

Of course. And that’s why any limit against a dynamic variable should also have alerts linked to it

Send an alert to the user when traffic starts spiking, especially if a simple projection shows it’s going to go over their limit

Then the user is aware, hopefully with enough time to lift the limit if needed

[ygjb]

That's a level of responsiveness that doesn't exist for the vast majority of organizations.

If your customer is aware enough to notice they are being hit with a DOS or legit traffic while it is happening, then great! They can respond, and if needed, engage proserve to get support for scaling or defense depending on needs.

If your customer is not alert enough, then their site is offline, and they won't hear about it until their customers are screaming at them, which will result in a P1 ticket to look at a vendor who won't turn them off during an unexpected peak.

It's a catch 22, and if you have to choose between: a) a PR hit because you have to go on a forum and post about waiving the fee, or b) a PR hit because someone posted a blog post about how you killed their site during a moment of critical growth

any reasonable business will choose A every time because A is far more supportive of customer growth and has drastically better optics. Anyone who thinks A is worse is probably too inexperienced to have an opinion.

[Gormo]

> What Netlify is doing here is really the best approach for both parties.

Sort of, but the approach to the approach isn't great. If you're going to void charges from DDOS traffic anyway, you might as well make that explicit policy, rather than doing it after the fact in a way that seems discretionary.

The Reddit thread is full of people who are saying that they intend to pull their static content off of Netlify and move it to Cloudflare Pages, which has no overages on the free tier in the first place. I can tell you that I personally chose Cloudflare Pages to set up a new static site a couple of weeks ago, and Netlify wasn't even in the running.

If Netlify's free tier is important to their customer acquisition strategy, then they really need to retool how they're offering it, or Cloudflare is going to eat their lunch.

[joshjob42]

Just deleted my tiny personal site, and will reinstate it at Cloudflare Pages. Thanks for the tip!

[hex4def6]

It seems like that could be an option like:

Hard limit: [$1000]/mth or [$500]/24hr period

Notify me if traffic exceeds thresholds: [$800+]/mth or [$400]/24 hr period

Notify me if the traffic forecast for the month looks like it will exceed my hard limit before the end of the month.

[patmorgan23]

They still need to make tweaks to avoid sending $100k bills to people who signed up to a free service.

Like let them go over one month and then make them sign up for a paid plan for the next.

[conductr]

> I still in 2024 rent physical boxes and run the modern stuff on top of them directly, yes it costs me more per month but the price is hard capped.

I still prefer this too. Kinda funny how server resource limitations became a feature and not a bug when it was one of the problems the cloud sought to overcome

[albert180]

Physical Boxes at Hetzner and the likes are usually way cheaper than most cloud offerings

[conductr]

Cloud is somewhat managed though so charging a premium makes some sense. The blank check factor of how they price their services is a major risk IMO. Also a turn off how every single bit of functionality becomes productized with its own pricing model.

[c120]

Yes, any price that's not hard capped is unacceptable. One reason why I quit Amazon cloud after the trial year. No because they were too expensive, but there was no way to guarantee they wouldn't charge me more than planned...

[listenallyall]

If a cloud platform offers such a limit, but the user fails to set it up, then uses $100,000 of bandwidth, is the platform then justified in NOT forgiving the bill?

[Hamuko]

If forgiving bills for this kind of a thing is a standard practice, how come this was the customer support's first reaction:

>We normally discount these kinds of attacks to about 20% of the cost, which would make your new bill $20,900. I've currently reduced it to about 5%, which is $5,225.

20% and 5% are quite a bit higher than forgiven.

[CogitoCogito]

Given this has been asked here multiple times without response from /u/bobfunk, it’s hard to conclude anything except that he is lying.

[hirako2000]

I will put there the other obvious offender: Vercel . Not sure about bandwidth, but dark patterns, keeping serious RBAC procedures we'll hidden until asking a fortune even for startups, to provide not things like SSO, just reasonable RBAC.

With all that money they then can finance the free tier until they get too far and become platform locked-in.

Surge.sh Im not sure. But shows all the sign of some greedy acquisition, regular long outages , as if I have been sitting as a free tier for too long, quick nudge to pay. For barely accessed sites even behind CDNs, steep. I even worry they one day just wipe all my buckets (they did for a few already) and support would recommend me to be a "normal" paying user .

Nothing is free. And nothing too good to be true is true .

[Jgrubb]

Or that usage and billing is a difficult space and this particular thread has been dogpiled by a bunch of folks that have never actually worked in it.

[CogitoCogito]

His claims are directly contradicted by his employee's actions. When asked about this, he provides no clarification. I just don't understand why you'd consider him even remotely believable.

[hirako2000]

Lying but a good talker for sure.

I wouldn't want to be CEO these days. A lot are trained and paid to do damage control.

[op00to]

This needs to be much higher up.

[CogitoCogito]

> 1. Yes. We've forgiven lots and lots of bills over the last 9 years and they haven't gone viral

This isn't what you said in your first post, you said:

> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

So forgiving "lots and lots" doesn't move the needle. Do you or do you not forgive _all_ such cases where your DDOS protection doesn't take down the site? What was your employee referring to when saying that the usual discount is 20%? Are you saying that you _never_ discount 20% and instead always discount 100% i.e. "forgive"?

[meh___]

I don't think this will get answered, unfortunately.

[hirako2000]

1. Forgiven many, is Netlify forgiving all obvious anomalies? Is the question, which if so but you said many so it is a no, it would make you reconsider the next point 2. Favoring keeping people site up ? Would you go as far as keeping them up if they stopped paying for the meter? If not you simply should not let that meter go overboard.

Hey I'm a taxi driver. Hailer fell asleep on the back, so I kept driving all night, once he woke up I dropped him to his place and asked for my monthly wage. I "forgive" many, but just a few are juicy income so I adopted the policy to never wake any customer up. If people ask I say it would be impolite, principles prime.

[FlyingSnake]

Regarding #2: I would rather have my hobbyist website go down rather than facing the daunting task to raise a query on HN and hope the bill goes away.

[charles_f]

> 1. Yes. We've forgiven lots and lots of bills over the last 9 years and they haven't gone viral

Sequence of events doesn't support this answer:

1. User gets charged 100k

2. User complains to support

3. User receives discount to 20k, then 5k. Support states policy is normally 20k

4. User discloses to the world. Goes viral.

5. Invoice is forgiven

While you might forgive "lots and lots", fact is that you still presented the invoice to a free tier customer, and when they complained you gave them a discount, but still charge. Only when it went viral did you forgive it.

[sanitycheck]

Quite... It does seem that either the story we're getting isn't completely accurate or the support people who handled this need a little reminder of what's supposed to happen.

I'm a paranoid person by nature so "It's free... just... give us your card details" is always suspicious.

[krab]

The issue is that you don't have to give the credit card details in this case. That charge wouldn't probably have gone through anyway.

[ponector]

They had forgiven lots and lots of bills, but forced to pay lots and lots more people.

[pierat]

Give that there are free stressers/booters , and reasonable prices to rent a DDoS cloud.... https://stresser.su/#pricing

1. What are you doing to prevent DDoS's from hitting your network?

2. Why do customers have to allow an unlimited credit burden to use services?

3. Why arent there cost controls to "if $$ exceeds X, shut acct down"? Azure can do this.

Long story short, why are you by default (except for social media escalation) passing fraud costs to customers?

[ilaksh]

But you realize that a small business or startup can't rely on "generosity" to avoid going bankrupt?

It seems that significant bills appearing without warning or cut-offs is clearly intentional. I am embarrassed that I recommended Netlify before.

[Sephr]

Do the changes you are working on that will cause "the default behavior to never let free sites incur overages" involve providing users with spending limit controls?

Solving this only for the free site use case doesn't address the core problem that people are bringing up about a lack of spending limit controls.

[HeatrayEnjoyer]

Do we have anything more binding than your word to rely on?

From what I see you could change this policy tomorrow unilaterally and we would have no recourse.

[hunter2_]

> this policy

I wouldn't think it's a binding policy at all, because the billing procedure (automatic full bill, manually discounted bill, etc.) would follow it if it were. More of a procedure.

[Salgat]

Why did this happen in this case if you said it doesn't? Netlify fought to bill OP repeatedly until it went viral.

[SXX]

> 1. Yes. We've forgiven lots and lots of bills over the last 9 years and they haven't gone viral

No offence, but this sounds like "trust me bro" billing and it is not good enough. Someone could literally get a heart attack from getting $100,000 bill - this amount of debt can literally ruin someone financially.

> 2. While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages

I hope you understand that chance someone who used to pay you $20 / month unlikely want to ever get $10,000 bill. Yeah people might dislike that their website went down due high traffic, but it's not gonna bring this much negative PR as incidents like this. There should be some sanity check at least.

[hnbad]

> Someone could literally get a heart attack from getting $100,000 bill - this amount of debt can literally ruin someone financially.

Not a heart attack but there has literally been at least one suicide over an unexpected life-ruining bill like that:

https://www.forbes.com/sites/sergeiklebnikov/2020/06/17/20-y...

[oneeyedpigeon]

2. is obviously what should have always been the case, but it's good news to hear you've now gotten there. Every single hobbyist website would always choose downtime over a hundred thousand dollar charge.

[rjzzleep]

With a properly configured nginx, you can easily serve 10's of thousands of requests a second on vserver type hardware. Netlify just offers these build pipeline kind of static site with cms UI.

But this is a good reminder why my gut feeling always made me avoid these overengineered solutions.

[mcapodici]

It wasn't the engineering that did it, it was the egress charges. But I think the IaaS tend to charge more for this than the clouds, who in turn charge more than the "servers for rent" people.

[hirako2000]

They aren't engineered, they subsidize (more) enginnering effort , and (are meant to) cost less as a result.

They do. But of course maximizing profit is the sole true prerogative of capitalist enterprises. And the market is not totally competitive. So yes your intuition was correct, to be cautious against over enginnered pricing to get y'a.

I mean those companies cater to hobbyist. Then ...

Render seems more fair-play. Until a change of mgt occurs of course.

[EasyMark]

You should probably consider a daily limit (up to some max n days) rather than a hard one time limit. If your engineers can set a 1 and done they can set an n and done and it would be a much better solution and more customer friendly. The guy using 5 gigs today as a poor college student will likely have a position in a small to mid-size company in a few years. I assume non-free (but low tier) customers would much prefer a reasonable limit set as well. Maybe a max of 2x (or so ) bandwidth so no huge surprises. Remember they're your customers and not your paying adversaries

[awill]

I’m sorry. You are working on changing things so FREE sites don’t get charged???

That’s the elephant in the room here. I understand an enterprise plan where you state billing is $xx per GB, but billing someone with a free site??

Give me a break.

[paultopia]

This seems like a really good idea to me. Or at least cap overages at a specified amount, like 2x the free level (a $55 surprise bill is a totally different universe from a $100,000 surprise bill, obviously).

Honestly, this terrifies me---I run a bunch of different sites off netlify, and I would have never imagined that a site could jump from 0 to six figures of bills a month without something hitting a tripwire somewhere and cutting it off or at least communicating with the account owner. At least users should have the capacity to self-impose bandwidth caps to prevent this sort of thing.

[boeing767]

"wOrKiNg oN"

[gaza3g]

Thank God for social media that the user was able to get attention about this on Reddit which he was then advised there to post this on HN. It must have been stressful to see a six-figure bill and then get told that that, no worries, you’d ‘only’ be charged $5k instead for a static site. It’s just ridiculous to me to be sent a 6-figure bill in the first place.

[herbst]

I hope this is not one of the cases that get simply forgotten and in a week or two their beginner unfriendly platform gets recommended again without a second thought.

With models like this and AWS people will get afraid of success

[quickthrower2]

I think fly/netlify/vercel/render etc. get a decent enough flak on here for costs and/or reliability.

The average HNer seems to be recommending colocating your physical server :-)

[ptdorf]

This is the way.

[mlrtime]

Well, it's still debatable for the history books if social media is a net good.

Before the internet, these issues would be handled by local news journalism, and still sometimes do!

[romphl]

I mean, social media is pretty much an inevitability once mobile phones/internet became mainstream. Just like the invention of the gun and gunpowder, I think we are still debating if it was good for society right to this day.

[mchinen]

From the 5% reduction it seems (1) was less likely.

To bobfunk, the response needs more empathy and explanation around the obvious frustration around why there is no slider for cost limitation.

As it is, it feels like the minimum viable corpspeak apology and damage control.

[darksim905]

You don't see VPS providers like Vultr forgiving bills like this, nor do they make the news. Granted they are not the same scope as Netlify, but still.

[nfw2]

OP said they agreed to reduce the payment, which means they acknowledged it was an attack but still wanted payment

[keeganpoppen]

if only i had $1 for every time for every time someone asked this exact question on HN. yes, we all get it: easy question is askable and not answerable. you want a gold star?

[valine]

I’ve been a netlify user since 2017 and I just deleted all my sites. I can’t risk receiving a $100k bill for toy projects. Your “current policy” is not good enough.

[turtles3]

Same, as it stands you the user are legally liable for the full bill unless netlify graciously forgive it. Even in op's case, they didn't (still charging 5k!).

If there was an option to cap billing, or at least some legally binding limit on liability, then I can countenance using netlify.

Until then, it's just not feasible nor worth the risk.

[erremerre]

Same boat here.

the fact that once it arrives to the limits does not display an error page.

At this point I honestly do not care about they changing their policy, they should have thought that a normal person receiving a 100000$ bill on a free tier shall not been at all on the table in any circumstance, even if they forgive the bill, nobody needs to stress out like that.

[jcalx]

Same. I will (almost certainly) never incur a $104k bill, but switching to Cloudfare Pages looks free and I don't want to depend on unwritten policies of goodwill to mitigate the potential risk.

[epiccoleman]

Same here. Will I ever get a level of traffic that would cause this problem? Extremely doubtful. Is it worth the risk when Cloudflare Pages is a similarly easy offering, and took 5 minutes to switch to? Hell no.

[listenallyall]

Starting to wonder if this whole thing was an elaborate ploy by Netlify to cull the herd of longstanding, non-paying accounts.

[eric_cc]

Same. Toy project and it’s not worth the risk of using netlify. What’s a good, simple alternative for a VueJS app?

[lelanthran]

> What’s a good, simple alternative for a VueJS app?

I'm not sure about VueJS specifically, but I run everything I can off a $6/m digital ocean droplet (static sites, web apps, git repos, RDBMS, some other custom apps I've written) and it hasn't broken a sweat yet[1].

My understanding used to be that requests will be dropped if my virtual server can't handle it, and I'll have to transfer 10,000TB to get to a $100,000 bill.

In practice, my server will not physically handle the load to serve more than maybe $1000 of data a month; it will fall over before that.

In summary, using a VPS is sorta like an instant hard cap.

[1] Until I tried using Jenkins. Which crashed constantly because apparently 512GB of RAM is too little for what it does. I'm now in the process of writing my own little CD tool that isn't going to go over 30MB of RAM just to run my deployment scripts.

[icelain]

Having a personal VPS is the way. I run a SvelteJS app as well as my personal website, blog and a couple other services on a $6 droplet and it runs great.

[listenallyall]

I agree with both of your philosophies and also run a VPS. However, lots of people would have no idea how to manage a server from scratch or to install a web server, even a static one. Netlify really is pretty amazingly simple for what it offers, which is a lot. And even among those who think they can run a server, many probably have wide open security holes they are oblivious to.

[lelanthran]

> And even among those who think they can run a server, many probably have wide open security holes they are oblivious to.

This is the big thing, but I also think that modern out-the-box OSes are pretty damn secure these days.

IOW, the amount of knowledge and time needed to maintain my single VPS is a lot less than the knowledge and time you will need to manage your costs using multiple hosted SaaS suppliers for static hosting, web-app hosting, database hosting, repo hosting, etc.

[victorbjorklund]

Cloudflare pages is pretty much drop in for netlify. And it has unlimited bandwidth for free (at least in theory. Guess they might call you if your site does 1 petabyte per hour)

[geon]

Github pages.

[jug]

I agree and also delete my account.

The only "fix" here is to act like Hetzner and null route upon DDoS, price cap the thing, or offer unlimited bandwidth on the free tier like e.g. Cloudflare Pages.

Uncapped but paid is a recipe for disaster and you'll always be subject to the will of the support staff when something happens. If they can grasp to a straw leading to suspicions that it's not in fact a DDoS attack, you can for example be sure they'll do just that. Just no.

[zrn900]

Hetzner dedicated servers are (true) unmetered with 1 gbit connection. (can be upgraded).

https://www.hetzner.com/dedicated-rootserver/matrix-ax/

With a 48 core Epyc or 80 core arm server, one really shouldnt need much more for a middling project. There are enterprises who run entire services on such hardware.

[livrem]

How does price caps work on Hetzner? I never managed to figure that out from reading their price lists. It looks to me like they charge for each TB, and the only thing I can see is that you can set an email alert to go off when close to some threshold?

[Hetzner_OL]

Traffic limits change depending on our products: See https://docs.hetzner.com/robot/general/traffic/ 1) dedicated servers: unlimited 2) cloud servers: changes based on package 3) colocation: changes based on product 4) managed servers: unlimited 5) managed vServers: 20 TB 6) Storage Boxes: unlimited We only calculate outgoing traffic. We do not count incoming and internal traffic. --Katie

[JasonSage]

Couldn't have worded it any better.

I did the same last night from my phone. My personal site and a project docs site are just going to not be online for a couple days. Easy choice.

[ks2048]

Same. I'm looking at alternatives to get off netlify ASAP.

[jotaen]

For static sites, I’m quite happy with Cloudflare Pages + Github deploy action. (https://github.com/cloudflare/pages-action)

[lobsterthief]

Thanks, I have 3 sites I need to get off Netlify and I’ve spent the morning reading about Cloudflare Pages.

My only hesitation is the 20k file limit; one of our sites is a large Gatsby site that generates certain content programmatically, sometimes using a series of YAML files as the source. Pretty sure we’re over 20k pages by themselves. Been meaning to move this one to Next.js sometime but that’s not on our roadmap anytime soon.

[herbst]

Any cheap VPS and nginx should work for 99% of their customer base I guess. If you want easy deploy for static or dynamic just use git hooks.

[ryandrake]

I've run all of my hobby projects, including personal web pages, a Wordpress site that serves a local club, a small single-JS web app, and E-mail hosting for my family and a few other domains, on a single $5/mo VPS, and have never received a bill higher than $5 for the past, I don't know... 15 years.

If your web site makes you money in proportion to the amount of views or bandwidth you use, by all means, go with a provider that increases your costs when your traffic rises. But if your web site does not make you money, why not host it somewhere for a flat rate?

[herbst]

I don't get that either. I earn all my money from my websites and serve > 1mio requests daily all from a single Vultr instance for less than $150 including backups and more traffic than I ever need. With monitoring, CDN, DNS, ddos protection, and whatever I pay about $200 a month, no surprised and a lot of room to grow or get HN hugged, or whatever.

I've been on a $25 instance for years for all my sites, which worked as well.

[user3113]

You can check https://stormkit.io though it does not have free tier.

[fetzu]

Did exactly the same, moving everything over to Cloudflare took me less than 15 minutes. “We’ll forgive those cases, pinky swear” is not a valid excuse when putting (even opt-in) hard limits in place is technically viable.

[jari_mustonen]

"Current policy?" So, you will retain a right to change such fees when you feel like it.

This is a serious matter. We are building a new site for our company with Netlify, but we can't open ourselves to this predatory practice. And even if you do not mean to be predatory, even the option of such is enough.

If not resolved with a clean, legally binding promise, our company (and probably quite a few others) must move our business to Cloudflare, Amazon, or some other competitor of yours.

[rafram]

Presumably your company’s site won’t be on their limited free tier.

[lobsterthief]

The paid tier (like $19/mo/user) has the same vulnerability. Overages are charged at the same price per GB as the free tier and they could still be charged $100k for the exact same thing.

[karaterobot]

> "Current policy?" So, you will retain a right to change such fees when you feel like it.

Is that unreasonable?

[listenallyall]

Why are you asking this question here? Any actual company would have reviewed all the legal documents prior to choosing a provider. The promises you seek are the exact reason "enterprise-grade" providers can (and do) charge so much.

edit: hey guess what, Netlify offers an enterprise plan, I'd bet they will be happy to offer you a "clean, legally binding promise": https://www.netlify.com/pricing/?category=enterprise

[jari_mustonen]

That does not help when we are evaluating and build the solution. We will proceed with this one.

[phyzome]

« Apologies that this didn't come through in the initial support reply. »

"Didn't come through" doesn't actually match the user's report of having support explicitly offering 20% and then 5% payment. It sounds like maybe you have a training problem? That seems like one of the important points to speak to.

[heavyset_go]

> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

That doesn't square with the 5% fee on the original $104k that your company told the OP to then pay.

[tledakis]

> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

Well, giving the option to users to plan ahead would be best, no? Like a setting to choose whether they want a potentially unlimited bill versus downtime. Instead of that, you are choosing to stress and make people scared/anxious/homeless even (if they don't think of raising the issue on HN).

Seriously, this is not rocket science. This must have been discussed before in your company, and someone actually made this decision to stress people about such bills.

[CogitoCogito]

Frankly the only reason I can even come up with that Netlify wouldn't have such controls in place is exactly if they do _not_ simply forgive these sorts of jumps in costs (as the CEO here seems to be claiming). I'm pretty sure if they'd be left holding the bag, they'd manage to find some way to cut off these kinds of jumps in usage.

[op00to]

Maybe it’s a tax dodge! “Forgive” 100k of “overages” which cost Netlify next to nothing, then report it as a write off on taxes.

[kjs3]

That would potentially make this situation much, much worse (in the US tax system...YMMV). If Netfly forgives a business debt and reports it to the IRS as uncollectable so they can write it off, the IRS can consider all or part of the forgiven debt as income to the person who is forgiven (there are lots of details, IANATA/IANYTA, YMMV). I don't want a blindside 100k bill from my hobby site, but I sure as phuck don't want the IRS thinking I made an extra 100k of taxable income. I might be able to shame Netlify into forgetting about it, but the IRS is not usually so easy to deal with.

[op00to]

Oh no I just got a 1099! Ha ha. That’s a really good point.

[croemer]

Not a dodge, (tax) accounting doesn't work like that. You can create accounts receivable of 100k and then write them off, that leaves you in exactly the same state as if you had just not entered the whole thing into the books at all. No benefit to "writing off".

[SXX]

I doubt IRS would buy that BS.

[op00to]

They’d have to be properly resourced to identity the BS first.

[Nition]

Well, note that they're only talking about giving refunds if there's an attack and they miss it. Doesn't mean they'll give a refund if you get $100K worth of real user traffic.

[CogitoCogito]

> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

The legitimate mistake sounds to be on _your_ side if anything. You failed to match the attack pattern after all.

> Apologies that this didn't come through in the initial support reply.

The support email said you normally discount the attacks to 20%, but in this case it would be discounted to 5%. Are you here publicly claiming that your policy is to in fact to forgive (i.e. discount 100%) these bills? Was the support reply totally incorrect in claiming that you normally discount the attacks to 20% or are you lying when saying that your policy is to forgive the bills? You might want to clarify your position here.

[7moritz7]

How does a 60 TB in a day peak for a site that previously never crossed the free tier threshhold not qualify as "attack pattern"?

This is a static site. To reach that sort of bandwidth out of nowhere you'd need to publish the blueprint for a teleportation machine

[hnfong]

To be fair, these days, things can become viral literally overnight.

That said, instead of depending on unreliable heuristics, they should just allow an option to change the behavior. The "current policy" to charge small sites on the free tier thousands of dollars instead of just throttling/shutting down the traffic is really predatory.

[quickthrower2]

60TB with each request for 1Mb say would be 60000000 visitors. So guess this is possible but hell of unlikely.

[Izkata]

"static site" doesn't necessarily mean "small". It would be easy to go way over 1Mb with a couple of pictures.

[frontalier]

at 60MB it is still one million downloads

[krick]

I'm not trying to justify netlify, because it's pretty obvious all cloud providers have vile intentions here (even though they pretend otherwise): it's obvious that total majority of use cases for such platforms are toy or small-scale projects, and literally everyone in this market would prefer their website being shut down, rather than getting $100K (or even $5K) bill, BUT…

1 million downloads (= visits) is nothing for "going viral overnight"

[pants2]

Most people won't want to fork over $100k to support a hobby project that's gone viral either.

[brnt]

Anyone exceeding their plan with a factor of 10 or hell, let's make it a 100, almost certainly didn't anticipate it and thus isn't prepared for the kind of bill that apparently comes with it (or even knows that there would be a bill). On top of that, there currently is no way to state such rules up front! Moverover, according to their own explanation, it was almost certainly not organic traffic!

I wager the vast majority of people in the free tier would gladly cap their traffic at the (generous!) bandwidth offered by Netlify. Even to the majority in paid tiers, 100k bills where there previously was none must be unwanted and unintended.

I mean, we all know dark patterns are a thing...

[brnt]

I understand that you need to pay bills, but auto-billing over the bandwidth budget just isn't OK, or at least not unless the user specifically configures that that's OK. I for sure didn't understand your bandwidth tiers that way.

You can avoid this sort of bad press and disgruntled users and your support cost by just giving users the option to shut down the site once the bandwidth budget is up.

[kiprou]

That customers must seek forgiveness at Netlify's discretion is not comforting. What's comforting is dependable spending controls.

[altin0]

Lol this deescalated pretty quickly, went from $104K to $20K to $5K to $0 Which basically means you almost scammed the customer for $5K or $20K. Super negative practices. I for one could never trust a company operating in that manner. It would be much more honest to say "unlimited bandwidth" and set a hard-limit for maximum budget, then people know they won't be charged, than to go through all this crap and then pretend you're doing a favor to the customer (you're not). If I'm normally spending $10/month any idiot out there would know for sure that I'm not going to spend $104K instantly. That's a very basic filter to have. But you don't place such filters because obviously you're working on the principle to scam people many thousands of $ if they fall for that. Heck, for all we know you might send that amount of traffic to your customer and the try to scam them and if it doesn't work then pretend you're doing them a favor.

[hasty_pudding]

The fact that the CEO had to step in after this blew up online otherwise they were going to try to extort that poor dude for thousands of dollars!

Moving my sites off of netlify ASAP.

[BigJono]

Tell you what is a good question, why is this thread on page FIVE of HN (ranked #125) with 1000+ upvotes, 400+ comments and only 7 hours old?

[dang]

This is in the FAQ: https://news.ycombinator.com/newsfaq.html. See "How are stories ranked?" and "Why is A ranked below B even though A has more points and is newer?"

About this specific case: it set off the flamewar detector (a.k.a. the overheated discussion detector) and also got moderation downweights. We sometimes turn off that penalty, but I don't think we'd do so in a case like this, because HN gets so many posts of this nature. They flare up with Big Drama that is sensational for a while but not particularly interesting, and therefore not really what the site is for.

In fact HN gets so many posts of this type that it has become a joke, and not only that but a cliché, so much so that the top comment of the Reddit thread repeats it [1]. That's about as repetitive as anything gets. The basic idea of HN is to gratify intellectual curiosity [2] and avoid repetition [3].

[1] https://old.reddit.com/r/webdev/comments/1b14bty/netlify_jus...

[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...

[3] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...

[BigJono]

I don't really buy that to be honest.

I read this whole thread before the CEO posted and after, and neither time thought any of the comments were out of line or even that the general mood was any more heated than any other random HN thread. People are politely asking pertinent questions.

And I think once the CEO makes a statement which contradicts the company's support response, that becomes very interesting. Particularly to anybody that uses their service. I'm certainly not finding the conversation very repetetive or cliche.

[dang]

You're welcome to disagree, of course. My main concern is to explain what the principles are. I'm not saying we apply them perfectly—sometimes we make bad calls.

I can tell you pretty much for certain though, that we'd hear many more complaints if a Reddit thread about a customer support shitstorm stayed on HN's front page for very long.

Btw, the Customer Support Fuckup category is one of several $X where HN has become known as the place for $X, but only because HN is not actually for $X. Another example is the Site Is Down category—people often come to HN to find out what's going on when some $Site or other is having an outage. But just as HN itself isn't a site monitoring platform, it's also not a customer-support-of-last-resort platform.

If the community feels like this customer support fuckup is altogether more interesting, I'd consider reversing the call, but again, my gut feeling is that we'd get even more complaints that way.

[7moritz7]

I'm not a fan of opaque ranking algorithms either. Just use this, the only thing it has is a 500 point threshhold and surprise, that works perfectly fine to determine what is currently trending in the community

https://hn.moritz.pm

[croemer]

I asked this question as "Ask HN" here: https://news.ycombinator.com/item?id=39524660

[sergiotapia]

I found out about this from twitter - weird how it's so buried on HN.

[chatmasta]

Heck, at that point, why not "send some traffic" to your customer? It's not like they have any way of verifying its source. Hmm... why even send traffic at all? Just add a multiplier to their metrics!

[canyonero]

This is very weird take. I'm struggling to understand why this is incident as a reflection of "super negative practices" or is somehow a "scam". The CEO came here and publicly apologized for the mistake and mis-communication, and the issue is resolved for the user with no charges. What am I missing?

[herbst]

What price would the dude have to pay if he didn't publish it? How often does this happen and why is there no protection against charging free customers 100k out of the blue. Why charge it and shock the customer if practice is to waive it? The CEOs response kinda just made the situation worse.

[canyonero]

Yeah, I don't buy this conspiracy theory. The reason why they charge it could be as simple as they calculated the bandwidth usage following a ddos attack. It amounted to 104k worth of bandwidth usage. There system is not sophisticated enough to recognize it was a mistake due to attack on their site. Thus a manual intervention was needed, and now it's resolved.

[Hot_Garbage]

Right, but there's still a huge contradiction here. The support email says it's standard practice to charge 20%. Now the CEO's comment says it's standard practice to waive it entirely. So which one is true?

[altin0]

It's only a weird take if you don't have any common sense. It's super simple: either offer unlimited bandwidth(since you're not charging these anyways), like Cloudflare Pages does, or put in place controls that will allow customer to set a top limit for their budget. You can't just all of a sudden send them a $104K bill and expect them to pay when the've never spent more than a few bucks. And then even worse, you can't pretend to expect them to pay 20%, then 5% then pretend you're doing them a favor by completely liftig it off. That's just arbitrary billing and preying for any victim that would fall and agree to pay 20% or 5% etc. I'm just asking for common sense and practices that build trust, not arbitraty billing rules.

[chomp]

"Pay for what you use" is an arbitrary billing rule? Come on now.

OP was ignorant, and got tossed a lifeline. Also “just make everything zero dollars bro” is a ridiculous proposition.

[notnaut]

In New Jersey I have to let an attendant pump my gas. If I have a heart attack while he’s pumping gas, but I never explicitly say “please stop once it’s full” and he, innocently enough, takes the still-flowing gas hose and pops it into a sewer grate once my tank is full, you’d be hard-pressed to find a reasonable person agree that the attendant was throwing me a lifeline when he refunds me after I come back complaining about my $2k gas receipt.

This is a dumb analogy, but the point is there is very obviously a pattern in this payment process that is ripe for abuse. The question of whether or not you aim to be an abusive business, plucking every shady profit where you can put the onus on the customer to try to come get their money back is one that many companies are deciding, and many are erring in the direction of the dark pattern.

By not working to avoid this problem from the get go, there is an implication about how a company wants to make their profits.

[wpm]

Pay for what I use works for airline seats and reserved compute/storage resources.

I have no control over how much traffic my public sites get. There is zero value in me signing up for a service which charges me based on traffic if I can’t control the maximum they’ll charge me. Would you sign up for an infinite bill?

[altin0]

the CEO said they're "forgiving any bills from legitimate mistakes" which effectively means "just make everything zero dollars bro". And no, he didn't use all that bandwidth, he was victim of a DDoS which the hosting provider should have measures in place to prevent or limit the service if it happens.

[asjur]

Perhaps a bit ignorant, but to be fair that Netlify attempted to charge him is absolutely ridiculous. With my hosting provider, I would pay a whopping 50 EUR for the same bandwidth that he was asked to pay 104.5K USD for. That just shouldn't be possible to happen, especially on a free tier.

[jmgaicra]

Any person seeing a user that normally has a $0/$10 per month bill suddenly spike to $104K would see that this is obviously a DDoS.

If it has always been a "policy" to forgive bills, shouldn't it have been 100% forgiven immediately after OP contacted support in the first place? Why go through the trouble of playing the hero by offering "discounts".

[Super_Jambo]

The user was asked to pay 20% then 5k on a service that's called "free" but has some extras which actually cost money.

After this the CEO comes along and says that the policy is actually not to bill for this kind of event... But the company actually tried to bill this user 3 times... soo it all stinks really.

[fabian2k]

You can't rely on such a policy if it is not part of the actual contract. This doesn't address the enormous uncertainty and risk that is present here when using Netlify.

[shit_game]

This is what sticks out to me about the situation. I would much rather a site go offline due to service overage triggering at some limit that I set - simply relying on the good faith of a host to subjectively waive fees is not reliable nor does it instill confidence that I won't be financially ruined by malicious third parties (like nearly happened here). I would imagine that the good faith of Netlify in this case would mean very little to a court when there is a contract that stipulates costs for services, and the worst case scenario for a user is that Netlify could take the issue to court with the contract the user agreed to and demand full payment. Even the possibility for this situation to occur without any tools existing to prevent it is terrifying and is a terrible value proposition for a service.

[anonanoa]

So what's the policy?

Do you forgive 100%, 95%, or 80% of the bill?

Is the 100% only available when a story about a bill goes viral?

[jpambrun]

By the time you forgive the bill you may have caused significant psychological distress, maybe even irreparable. This doesn't feel like a responsible approach.

[is_true]

This is the way most companies work unfortunately. Paypal limits your account and makes you wait 6 month to (maybe) give you a way to get the money back.

[_gabe_]

This is why I stopped using PayPal. My credit card company allows me to issue chargebacks with typically very little friction because of my credit history. PayPal once put me through the wringer for an order I cancelled and never received a refund for. After that I deleted my PayPal account and decided to never use it again. In this case, I would take my site off Netlify and never use it again.

[JasonSage]

I’ve already migrated my two sites off Netlify after reading about this incident, and seeing other replies where folks said they were stuck with large bills.

This large bill doesn’t look like a legitimate mistake, it looks like everything worked as intended until things got escalated via Hacker News.

[harrycharound]

This leaves all your other small business users potentially on the hook and at the mercy of your mercy.

Not only should this stuff be capped rather than the dam allowed to flow, but your systems should have picked this up immediately and known it for its nature.

Thus must have been a nice little earner for you over the years.

I'm moving all my netlify sites elsewhere, bob.

I'm probably not the only one.

[silent_cal]

Good on you for reaching out, but getting a bill like this in the first place is enough to send someone to the psych ward, lol.

[baggachipz]

Email:

> "You've got room to grow!"

ohfuckohfuckohfuck

[Sephr]

Can you respond to the allegations that Netlify has inadequate spending limit controls? Are there plans to improve this situation?

[dboreham]

> traffic spikes that doesn't match attack patterns

I interpret this as "we always charge for traffic served, but we attempt to block illegitimate traffic" which means of course that the worse their traffic discriminator performs, the more money they make!

[tacone]

Hello bobfunk, thank you for acting on this.

One question though, what is Netlify gonna do to ensure this doesn't happen again?

I understand it's a hairy question, but the general consensus seems to be some policy must be changed or at least some line should be drawn.

[bluerooibos]

I assume you'll be offering this user a good amount of credit on their account for having to deal with this BS and the stress of being told they owe you $100k?

[ZeroMetaCool]

Made an account here to also let you know, I too am removing my websites from netlify ASAP. Thank you for bringing this to light.

[croemer]

How long has this been the "current" policy? 2 hours?

[swyx]

ex employee here, left 4 years ago. was policy back then too.

[CogitoCogito]

So the original support worker just pulled 20% (and then 5%) out of thin air? Given your internal knowledge, can you maybe explain why a support worker would ever do that if policy is simply to forgive the debt?

[aurareturn]

  but instead forgiving any bills from legitimate mistakes after the fact

What are these legitimate mistakes?

[hnfong]

Presumably the "mistakes" mean failures to detect/recognize "attack patterns".

[optionalsquid]

Wouldn't that imply that a person whose site legitimately went viral would be stuck with the $100k bill?

[kjs3]

Anything Netlify deems them to be, of course. That's why these sorts of T&Cs use weasel words like "legitimate", "reasonable", "expected", etc., instead of giving specifics you can action against. That way they can claim every thing they've done is legitimate and reasonable no matter how fallacious that claim is, and double-dog dare you to spend the time/money to take them to court (or worse, imposed arbitration with an arbiter of their choice) and prove them wrong.

[huxflux]

So this one got attention due to some good Samaritan on Reddit who told OP to post here. Now, to the real question here: have others not received as good advice and just paid up?

[pier25]

> instead forgiving any bills from legitimate mistakes after the fact

That's terrible for marketing.

[joshjob42]

I'm moving my domain name and personal site off Netlify (already deleted the sites, DNS transfer requested), probably moving to Cloudflare pages.

It may only move a few MB a month, but I just can't risk if I put anything more substantial there that I might get hit with a bill for $100k and you maybe will forgive it. And that this has apparently been policy for nearly a decade makes it even worse.

[godzillabrennus]

I'm so grateful that Cloudflare has Pages, and I was able to move my hosting needs there. Netlify has been expensive for a while now.

[foxandmouse]

Sorry, but there is a lot more going on here than you addressed, these charges were incurred on your "starter tier", which has no mention of additional costs.. I've noticed a lot of "sponsored content" by netlify, and again no mention of this possibility.. Also, no comment on not having ddos protection, or at least a spend limit?

Sure, this instance was resolved, but it's also the top post of the last month. Who honestly things it would be the same outcome if not for going viral...

[underdeserver]

You guys see a lot of traffic. Why not offer DDoS protection for the free tier by default?

[jonathanyc]

I’ve been a Netlify users on the Pro plan for a few years now. Moving from Netlify to CloudFlare after this; “this didn’t come through in the initial support reply” doesn’t cut it for a $100k bill.

[BrujahRage]

But you do see how _not_ addressing this in the initial support reply is going to cost you all in the long term, right? The real lesson here seems to be for small projects, it may well be worth the investment to handle my own hosting. All I see here is that getting you to do the right thing required publicly shaming you, which means you can be trusted about as far as I can throw a piano.

[AbraKdabra]

How about a button that says "put down my website if it suddenly starts getting charged"?.

[spacecadet]

Never used "netlify", but to me a product is broken if you are using the words free and bill together.

I wont touch a fake free service if it requires a payment method. Want my money, give me a reason to pay you, dont trick me into paying you.

Temped to go fuzz your product and document other dark patterns...

[bb81]

So netlify is a major scammer organization now!? Uh oh time to look elsewhere

[op00to]

I’d rather be shut down than have a heart attack from a $100k bill. That could literally kill me from stress, even if you pinky swear to refund any oopsies.

[pants2]

See the Robinhood user who committed suicide after misunderstanding his liabilities from selling options.

[phone8675309]

Honestly I'd probably commit suicide if a hosting provider gave me a $100K bill.

Collect this from my corpse you scummy fucks.

[op00to]

Please don’t! We like you here.

[homerjam]

You should rethink this policy. Someone could panic and do something unthinkable, then you'd wish bad press was the only thing on your conscious.

[wendyshu]

Is the support employee going to be fired for making such a traumatizing mistake? Or was 5% ok until this went viral?

[gizmo]

That is an outrageous and inhumane policy. People get panic attacks when they get told they owe 100k they don’t have. People will be terrified your internal process wrongly determines the bill is legitimate. Imagine you have to study for an important exam or that you have a paper due. How can you possibly focus with this nightmare at your doorstep?

Truly shameful.

[bitzleon]

This is predatory and you know it.

Your support was going to charge him 5% as a "sign of good fate". How kind.

If it hadn't gotten traction, you absolutely would have charged him.

How many other people have you strong armed into paying ridiculous bills?

The fact that you have no usage limits is clear indication that this is intentionally left open to abuse.

Extremely shady and downright criminal.