Current security checklist
Vercel Security Incident Response Checklist
A free browser-only workflow for founders and small teams responding to the April 2026 Vercel security bulletin: scope projects, rotate environment variables safely, check activity, and harden deployment access.
Checklist progress: 0 of 18 complete
No signup checklist
Track the response steps
| Done | Step | Why it matters |
|---|---|---|
| Save the official Vercel bulletin URL and last-updated date. | The bulletin moved to ad hoc updates after April 24, 2026, so decisions should be anchored to the latest official text. | |
| Confirm whether Vercel notified the account owner directly. | Vercel says affected customers were contacted; do not assume impact from third-party commentary alone. | |
| List production and preview projects that use Vercel environment variables. | Rotation fails when team-level or preview credentials are forgotten. | |
| Identify environment variables that are not marked Sensitive. | The bulletin prioritizes review and rotation of values that were not marked sensitive. | |
| Generate replacement credentials at the upstream provider before invalidating old ones. | Vercel's rotation guidance recommends updating Vercel first so production does not break. | |
| Update Vercel project-level and team-level variables with the new values. | Team-level variables can affect multiple projects and need a broader redeploy checklist. | |
| Redeploy production after environment variables change. | Vercel docs say environment variable changes apply to new deployments, not previous deployments. | |
| Redeploy relevant preview deployments or retire old previews. | Old previews can keep using old credentials if they are still reachable and making API calls. | |
| Verify the new deployment works before revoking old credentials. | This keeps the rotation sequence from causing avoidable downtime. | |
| Revoke or delete the old credential at the upstream provider. | Rotation is incomplete until the old secret stops working. | |
| Re-add eligible production and preview secrets with the Sensitive option enabled. | Vercel sensitive environment variables become non-readable after creation. | |
| Enable 2FA with an authenticator app or passkey for the account owner. | The bulletin recommends multi-factor authentication as an account-hardening step. | |
| Review Vercel activity logs for suspicious account or environment activity. | Vercel activity logs show chronological team events and can support owner review. | |
| Review recent deployments for unexpected deployment activity. | The bulletin recommends investigating recent deployments for anything suspicious. | |
| Set Deployment Protection to Standard at minimum where appropriate. | Vercel says Standard Protection is available on all plans and protects non-production deployment URLs. | |
| Rotate Deployment Protection tokens if they are configured. | The bulletin calls out protection-token rotation as a follow-up step. | |
| Document owner, timestamp, old credential status, and redeploy evidence. | A response checklist is only useful if future operators can see what was completed. | |
| Schedule a second review for accounts, previews, and team-level variables. | Second-pass review catches forgotten integrations, team-level variables, and previews. |
Owner notes
Copyable response record
Sources
Official references used
Is this an official Vercel incident page?
No. This is an independent checklist that points back to Vercel's official bulletin and documentation.
Can this page scan my Vercel account?
No. It runs in the browser, stores only local checkbox progress, and does not ask for credentials or account access.
What is the safest rotation order?
Create the replacement credential, update Vercel, redeploy and verify, then revoke the old credential at the upstream provider.