Nick G

Next.js had a serious vulnerability in their middleware system which allowed bypassing auth, and while bugs happen, the way it was communicated to their community was handled pretty terribly. Normally I'm not posting on the weekend but this is some pretty spicy 🌶️ stuff. In business if you have bad news you're supposed to communicate it quickly and directly, it's a trust exercise for people who put their faith or money in you. This is also true in tech. We've spent years cultivating a blameless culture because we recognize that with system complexity and how fast everyone is always moving there's bound to be issue that make it through checks. If the Twitter sphere is to be believed Vercel: - Knew about this bug for over 3 WEEKS and quietly pushed changes to their new SDKs. - Did not tag their PRs for fixes as a security issue - Waited until the last minute to work with their Open Source community to announce the issue and a path to resolution for those affected Part of responsibly disclosing issues like this is patch first and then move to communicate immediately to all impacted parties. You do not sit on your hands. Because of this multiple platforms went offline today to deal with the bug as a fire drill exercise instead of having proper time to deal with the issue. This is a serious trust issue for what is currently a widely used framework and service. You yourself might be impacted right now. As a steward of such widely used technology you have a responsibility to your users to protect them even if it's uncomfortable from a business perspective.