curl maintainers will pause vulnerability intake from July 1 to Aug. 3, 2026, while they take a public month off from security triage pressure.
curl maintainers will stop accepting vulnerability reports for the project from July 1 to Aug. 3, 2026, in a planned break they call the “curl summer of bliss.”
Daniel Stenberg announced the pause on daniel.haxx.se, saying the team will close curl’s HackerOne submission form during that period and ignore vulnerability reports sent by email. The project already rejects email-based vulnerability reports, and the July pause keeps that policy in place.
The break covers one intake channel and one kind of work: security reports. The team will keep curl’s GitHub issue and pull request trackers open for normal development work.
The project also moved curl 8.22.0 to Sept. 2, 2026. Stenberg said the maintainers need extra time in August to handle reports that may arrive after HackerOne reopens at 9 a.m. Central European Summer Time on Aug. 3.
curl occupies a strange place in software infrastructure. Developers use it as a command-line tool, and other programs use libcurl as a transfer library. Operating systems, CI pipelines, appliances, developer tools and cloud systems depend on it. That reach gives each vulnerability report weight, and it also means maintainers can face a heavy stream of low-quality, duplicate or speculative reports.
Open source security programs ask maintainers to act like incident responders, product engineers and public communications staff at once. A report arrives. Someone must reproduce it, judge the impact, coordinate a fix, prepare an advisory, publish a release and respond to the reporter. A flood of reports turns volunteer maintenance into queue management.
Stenberg framed the July pause as a health measure. The maintainers want time away from pressure, time outside and time for ordinary project work. Paid support customers remain covered during the pause, so organizations that need response guarantees can get them through contracts.
The announcement also tests a hard question for open source: can a critical project set office hours for vulnerability intake? The curl team says yes. Reporters who find issues in July must wait until August unless they have a support contract.
Attackers will not honor that schedule, and Stenberg says so. The project accepts the risk. The alternative would ask the same maintainers to keep absorbing pressure without a break.
The policy gives other open source projects a public model. Maintainers can define intake windows, separate free public triage from paid response commitments and tell users where the boundary sits. Users may dislike the boundary, but they can plan around dates and contracts.
curl’s July pause starts at midnight CEST on July 1, 2026. Submissions resume at 9 a.m. CEST on Aug. 3, 2026.
Comments
Please log in or register to join the discussion