Our $1 million hacker challenge for React2Shell

In response to the React2Shell vulnerability, Vercel implemented a robust defense strategy that included collaboration with 116 security researchers and a bug bounty program offering $50,000 for unique WAF bypass techniques, resulting in over $1 million paid out for 20 unique findings. By utilizing Seawall, their deep request inspection layer, Vercel rapidly updated their Web Application Firewall (WAF) with 20 updates in 48 hours and introduced an additional defense-in-depth strategy at the compute layer to prevent code execution during React rendering. The company's proactive approach involved partnering with major platforms like AWS, Google, and Microsoft to ensure coordinated mitigation efforts before the public disclosure of the vulnerability. The efforts were supplemented with a runtime mitigation solution, adapted from Deno, to directly eliminate attack vectors at the application level. This comprehensive response not only protected Vercel's customers but also contributed to the broader security ecosystem by sharing bypass techniques with other providers. The initiative demonstrated the effectiveness of cross-industry collaboration, the importance of patching, and the need for continuous adaptation in security measures to address evolving threats.