I took the most boring side of it, the migration (once again). Built a high-throughput migration infra and patched a vast number of old deployments to hot swap our runtime. My team's efforts were hidden due to the circumstances until this post, and it was a bit disappointing to see some people assume that our WAF bounty program was because that's the last line of defense Vercel could have. Bypassing WAF wasn't the end of the world for us.
We had an intense time patching React2Shell WAF bypasses together with the best hackers in the world paying out over $1 million in bounties. Additionally, we deployed a runtime mitigation on the Vercel platform that eliminates the RCE vector at the core. As a side effect, the