Cautionary Tale: I got a $1,477 Vercel bill from bots scraping an unreleased project. Always set Spend Limits. Actually I did :-((((
Just sharing a warning for anyone deploying to Vercel: make sure you set up Spend Management caps, even on projects that aren't public yet.
I've been a Vercel customer for years with about 20 production apps. Last week, I got a $1,477 invoice for a pre-launch, unreleased app. An automated crawler fleet sat there downloading heavy media files for days.
Vercel's policy says that bot/abuse traffic mitigated by their firewall is free. However, because these bots identified as "legitimate" search/AI crawlers, they didn't trigger the DDoS protection.
The wildest part: Vercel's own automated support bot reviewed my account, confirmed that 96.4% of the traffic came from a single edge region (cle1), and told me: "this is exactly the type of situation that warrants review by our support team." But the bot is hardcoded to not issue bandwidth refunds.
I've submitted a ticket and tweeted at the CEO, but I'm currently waiting in limbo.
TL;DR:
- Set Vercel Spend Management caps to $100 immediately.
- Put Cloudflare in front of Vercel to block bots before they hit Vercel's CDN.
- Don't assume Vercel's firewall will auto-mitigate polite but aggressive scrapers.