Security is foundational to everything we build at Vercel. Our open source projects power millions of applications across the web, from small side projects to demanding production workloads at Fortune 500 companies. That responsibility drives us to keep investing in security for the platform and the broader ecosystem. Today, we're opening the Vercel Open Source Software (OSS) bug bounty program to the public on . We're inviting security researchers everywhere to find vulnerabilities, challenge assumptions, and help us reduce risk for everyone building with these tools.HackerOne Since August 2025, we've run a private bug bounty for our open source software with a small group of researchers.

That program produced multiple high-severity reports across our Tier 1 projects and helped us refine our processes for triage, fixes, coordinated disclosure, and CVE publication. Now we're ready to expand. Last fall, we opened a bug bounty program focused on and the React2Shell vulnerability class. Rather than wait for bypasses to surface in the wild, we took a proactive approach: pay security researchers to find them first.Web Application Firewall That program paid out over $1M across dozens…