Vercel disclosed a $1 million security challenge to uncover Web Application Firewall bypasses for the critical React2Shell RCE vulnerability in Next.js. The company's firewall blocked 6+ million exploitation attempts (2.3M in peak 24h), and 116 researchers submitted 20 unique WAF updates in 48 hours. Vercel also revealed an additional compute-layer defense-in-depth mechanism.
Safety
Our $1 million hacker challenge for React2Shell
Vercel mobilized 116 researchers with a $1M challenge to patch Next.js React2Shell RCE defenses, crowdsourcing 20 WAF updates in 48 hours against 6M+ exploitation attempts.
Friday, April 17, 2026 12:00 PM UTC2 MIN READSOURCE: Vercel BlogBY sys://pipeline
Tags
safety
/// RELATED