Developer tools
curl pauses vulnerability report handling for July 2026
- Category: Dev tools
- Status: confirmed
- Sources: curl blog (Daniel Stenberg), HN discussion
- Summary: The curl project will suspend vulnerability report handling for July 2026. The HackerOne submission form is paused and the security email address will not process reports from 2026-07-01 00:00 CEST through 2026-08-02; normal handling resumes 2026-08-03 09:00 CEST. Daniel Stenberg's post cites sustained pressure and a vulnerability influx over the prior four months and the maintainers' need for rest. The 8.22.0 release moves two weeks forward to 2026-09-02. Organizations with paid support contracts keep full security access, and GitHub issue and pull-request handling continues normally. The post does not attribute the pause to AI-generated reports.
- Comments: HN reaction was largely supportive; one commenter noted the paid-support carve-out could create pressure to ship a fix anyway if a vulnerability is disclosed publicly during the pause.
- Why it matters: curl ships in billions of devices and is a core dependency, so a one-month gap in coordinated vulnerability handling shifts when reporters can expect triage and may push some toward public disclosure.
- Follow-up: Confirm report handling resumes 2026-08-03 and watch for any public disclosure during the pause window.