Ask HN: Can Vercel launch open-source versions of applications hosted on Vercel?
Related to this post on reddit:
https://www.reddit.com/r/SaaS/comments/1791l82/icymi_vercel_reserves_the_right_to_open_source/
How much is legally possible for Vercel? Can they take inspiration from hosted applications and launch open source versions? Can they access the code and take inspiration from it?
6 comments
[ 0.17 ms ] story [ 24.7 ms ] threadSome clarifications:
- Leap AI (tryleap.ai) created a template which is a demo, incomplete version of other popular products.
- Templates get submitted to the marketplace all the time. One of Vercel’s devrel promoted it. The idea is to help people learn from a realistic, complete example
- This template has nothing to do with the code or data of any existing hosted Vercel app
Happy to clarify anything else further
However, one thing that is concerning for me is this:
> The employee used his access at Vercel to find his personal email, location, and the list of his projects.
(from https://twitter.com/nico_jeannen/status/1713139186474406206)
I'm unsure if this tweet is 100% truth, and I certainly don't believe it's "normal" as the tweet implies at the end - but it would be nice to get some sort of feedback on this, ideally. (e.g. "the employee was let go" + "we've reiterated internally that this is absolutely not something anyone at Vercel should do").
Last piece of thought - maybe the ToS need some clarifications to see if you could make it less permissive w.r.t. data and content? I understand you need to distribute it etc but would it be an option to e.g. rephrase "you hereby grant right to distribute data and content [...] only to provide you the customer with Service".
Note that I'm typing all this in good faith and I appreciate the work you folks do at Vercel.
Also a fan of Vercel and I'm very appreciative of the work they contribute to the React/JS ecosystem. Errors in human judgement happen and while they may have taken the appropriate action against the employee, I don't feel like they've reassured me enough that there are processes in place to prevent this happening in the future.
Three quick reactions:
- The employee did not find location information on our platform. Our security team is certain of this and that the system worked as intended, but the employee misused it.
- Everyone at the company takes PII and protecting customer data extremely seriously. We have and we will continue to reinforce this in light of this situation.
- Our ToS are specifically designed to protect our customers. Note that in the terms folks are discussing we mention “only in connection to providing our services”. That said I’ll be following up internally to see if more clarifications can be made (I’ve seen companies provide high level summaries in the past to help with the legalese interpretation)