DDoS Mitigation False Positive on Multi-tenant Subdomain Project

Current: Legitimate user traffic on multi-tenant subdomain platform (*.weaven.io) is being blocked with 403 Forbidden by Vercel’s DDoS Mitigation system.
Expected: All subdomains under *.weaven.io should be accessible to real users without being flagged as DDoS traffic.

1. Visit any subdomain of weaven.io (e.g. endvchaos.weaven.io)
2. Receive 403 Forbidden error
3. Blocked Request IDs:
   • icn1::mqfnj-1778325716239-f7efd2529192
   • sfo1::t7nj6-1778325244681-839c9f7d1387
     Note: Already tried adding a Custom Rule (Hostname matches .*.weaven.io$ → Bypass) but it does not override system-level DDoS Mitigation.

URL: weaven.io (*.weaven.io)
Framework: Next.js
Plan: Hobby
Architecture: Multi-tenant blog platform — each blog runs on its own subdomain. Multiple different subdomains receiving traffic is expected behavior, not an attack.

Thank you for bringing this to our attention. To ensure this is investigated with the necessary priority and privacy, please report all security-related concerns, potential exploits, or abuse directly to the Vercel Security Team.

Please submit your report here: Report Abuse On Vercel

Reporting via this official channel is the fastest way to reach our security engineers and ensures that sensitive information is handled in a secure environment rather than a public forum.

I’m experiencing the same issue, posted here: Getting 403 in deployment thumbnail and real app traffic, please help

It’s currently driving me crazy, all my requests getting the 403 included myself and I’m in PRO plan