Curl will not accept vulnerability reports during July 2026
Points and comments are a snapshot, not live.
Curl will suspend vulnerability reports throughout July 2026 to give maintainers a planned break.
The curl project announced it will pause vulnerability submissions on its Hackerone form from July 1 to August 3, 2026, closing its security email during the same period. The maintainers cited burnout from sustained pressure over four months and the need for rest. Users with paid support contracts will continue receiving service. The release of version 8.22.0 shifts two weeks later to September 2 to accommodate the backlog from early August. Curl encourages other open source projects to take similar breaks.
What commenters are saying
Commenters praised the decision as overdue and humane. Top discussion centered on maintainer burnout and whether attackers would exploit the gap. Consensus held that bad actors wouldn't submit reports anyway and that companies with zero-days face their own deployment problems. One thread noted the curl codebase's scope across 27+ protocols and multiple HTTP standards justifies 50-hour weeks. Concerns about vulnerability disclosure colliding with support contracts were noted but deemed acceptable given the alternative of complete unavailability.