curl is just closing its inbox for a month and honestly good for them
by matei ·
dev internet open source
curl is shutting off vulnerability reports for the entire month of July. not slowing down, not "deprioritizing." closed. HackerOne portal goes dark July 1st, the security email becomes a void, nothing comes back until August 3rd. they're calling it the "summer of bliss" and at this point they've earned the right to be a little dramatic about it.
how we got here
so back in 2025 curl's bug bounty program basically got eaten alive by AI slop. people were running an LLM, having it hallucinate a vulnerability in a code path curl doesn't even have, and submitting it for bounty money. confirmation rates dropped from a normal 15% down to under 5%. twenty percent of everything coming in was just fabricated nonsense that someone on the team had to spend 30 minutes to several hours proving wrong. stenberg described one 16 hour stretch where seven garbage reports came in back to back. that's not a bug bounty program at that point, that's an unpaid second job debunking AI hallucinations.
so in january 2026 he just killed the bounty program outright. kill the money, kill the incentive for people farming bounties with a chatbot. made sense.
here's the part that's actually kind of funny though: it worked, and then it didn't matter. AI got better. by march when curl went back to HackerOne, confirmation rates bounced back to 15-16%, basically pre-slop levels. the reports people are submitting now are mostly real. the models stopped hallucinating fake CVEs and started actually finding stuff.
cool, problem solved right? no. because volume doubled. and it had already doubled the year before that. so now curl has roughly 4x the report volume of a couple years ago, except now the reports are legit, which means someone still has to triage every single one, reproduce it, patch it, coordinate disclosure. the team is still seven people. seven people do not scale linearly with "AI security research tooling got good."
the actual point here
this is the bit people are missing when they dunk on this announcement. the problem isn't AI generating garbage anymore. the problem is AI generating too much real work faster than seven volunteers can process it. that's a structurally different problem and it's not going away in august. stenberg said it himself, he doesn't expect the deluge to slow down, he just needs his team to not burn out before they get there.
and look, curl runs on like 20 billion installs. it's one of those projects that's so foundational nobody thinks about it until it breaks. but it's still maintained by basically the same handful of people it always has been, while the volume of incoming work has been compounding every year because anyone with an LLM subscription can now point it at a 25 year old C codebase and go fishing. that imbalance was never going to be sustainable, AI slop or not.
so yeah, curl's closing the inbox for a month. paid support contracts still get coverage, GitHub issues stay open, the world keeps spinning. if you found a real vuln in curl in june, congrats, it has to wait. stenberg's advice to other maintainers: do the same thing if you need to. nobody's going to give open source maintainers a raise or a bigger team, so taking the month off is just maintainers doing the only kind of negotiating they actually have leverage to do.