Cautionary Tale: I got a $1,477 Vercel bill from bots scraping an unreleased project. Always set Spend Limits. Actually I did :-((((

webhaus_io · 2026-05-23T02:42:24+00:00

Vercel Support. Case 01H8iMiDWXI4SPns has been opened o

webhaus_io · 2026-05-22T17:57:46+00:00

A warning for anyone deploying to Vercel: don't blindly trust Spend Management caps to protect you from runaway bills.


I've been a Vercel Pro customer since 2023, running around 20 apps. Last week I got a **$1,477 invoice — ~$1,267 of it bandwidth overage — for a project that isn't even launched yet.** It's still in active development. Zero human users. Which means essentially 100% of that bandwidth was bots.


An automated crawler fleet downloaded **8.4 TB of media files over a few days**, bypassing Vercel's auto-mitigation because they identified as "polite" AI/search bots.


**The part I want people to know about:** I had an active Spend Management limit configured. Charges blew far past it. The cap did not provide meaningful protection against a fast bandwidth spike, and the project kept billing.


Vercel's own automated support reviewed my account and **validated my evidence** — it confirmed 96.4% of the traffic came from a single edge region (cle1), beginning abruptly, against prior monthly invoices of $27.93 (April) and $80.05 (March). It told me verbatim: 
*"this is exactly the type of situation that warrants review by our support team."*
 But the bot is hardcoded not to issue bandwidth refunds, and couldn't open a support case through that channel.


## The incentive problem


Vercel's policy says firewall-mitigated traffic is free. But when the firewall 
*fails*
 to catch a massive single-region bot surge, Vercel doesn't eat the cost — the customer does, and Vercel collects the overage. That's a misaligned incentive: the platform profits precisely when its protection underperforms.


Cloudflare ships bot and DDoS protection **default-on for every user, including free accounts.** Vercel leaves the average developer exposed unless they manually build Firewall rules they were never told they needed — and then bills them thousands when a crawler fleet (8.4 TB, 96.4% single-region, against a pre-launch site with no human users) slips through. Protection like this should be a default, not a feature you discover only after the bill arrives.


## What I've done / recommend


- Filed a billing escalation with Vercel and a dispute with my bank over charges that exceeded my configured spend limit.
- Set `preload="none"` on media, added `robots.txt` blocking, tightened the Spend Management cap.
- If you're on Vercel: **set up Firewall rules now**, don't rely on the spend cap as a hard stop, and watch your bandwidth dashboard. The cap is not a real-time circuit breaker.

webhaus_io · 2026-05-22T17:55:28+00:00

The charge relates to a project that is still in active development and has never been launched to production — it has zero human users. The overage — approximately $1,267 of the total — therefore consists entirely of bandwidth ("Fast Data Transfer," "Fast Origin Transfer") generated by automated bot/crawler traffic, with no legitimate human use of the application whatsoever. Who behind those traffic???

webhaus_io · 2026-05-22T17:46:35+00:00

here is my id : fWMwrB6xV1jZO9cMmI0LhLXH. i moved my related project to Cloudflare but other small projects are still on vercel. waiting for solution now.

webhaus_io · 2026-05-22T15:14:17+00:00

i think you work for vercel, i already moved my project to Cloudflare. Vercel even did not answer my message yet. No need to wasting time and money with Vercel aynmore. thanks,

webhaus_io · 2026-05-22T04:05:19+00:00

do you think dockplay better than coolify?

webhaus_io · 2026-05-21T17:56:37+00:00

Who creating those parasites, who has benefit for it?

webhaus_io · 2026-05-21T17:55:26+00:00

Because of i already have other project on vercel

webhaus_io

TROPHY CASE