[ldjkfkdsjnv]

The culture of security within FAANG could not be more opposite than the way that vercel handled this. In big tech, this would have been looked at in 48 hours, and across thousands of systems all oncalls would have been paged to do an emergency deploy. Probably within 5 days, almost the whole company would have deployed the patch.

Vercel to me seems like it is run by hype men, and the CEO is certainly technical, but these people are not in the weeds in the way they come off.

[czk]

Also worth noting that this commit in Dec 2024 previously added a bunch of internal headers (aside from this one) to a restricted external access list (one of them was vulnerable to SSRF) and there was never a CVE for it.

https://github.com/vercel/next.js/pull/73482/files

Source: https://news.ycombinator.com/item?id=43449986

[tengbretson]

Maybe they based their on-call protocol on what people say they want in hn threads.