Inside curl’s Security Pipeline: How 600+ Vulnerabilities Navigate from Report to CVE

With over 300 billion installations worldwide, curl is the silent workhorse of internet data transfer. Its omnipresence makes it a high-value target, attracting 3-4 security reports weekly via HackerOne. Over six years, nearly 600 reports have flowed through a finely tuned disclosure pipeline managed by just seven maintainers—a process that blends transparency, precision, and operational secrecy.

The Triage Gauntlet

Reports hit the curl security team’s radar within 60 minutes of submission. "Most are dismissed quickly as non-issues," explains Daniel Stenberg, curl’s creator. Legitimate bugs without security implications migrate to public trackers, while true vulnerabilities undergo collective analysis. The team debates exploit scenarios, severity (low/medium/high/critical), and reproducibility—a process spanning hours to days. Crucially, only 80 vulnerabilities have been confirmed in five years, with just two exceeding "medium" severity.

The Stealth Patch Protocol

• Low/Medium Severity: Fixes enter the public repository via pull requests—masked as ordinary bugs. This allows open testing while hiding the security angle until release.
• High/Critical: Patches merge just 48 hours pre-release, minimizing exposure. "Our entire CI/CD pipeline relies on public code," notes Stenberg. "We can’t risk private forks."

The Disclosure Machine

Validated flaws trigger comprehensive advisories detailing:
- Exact version impacts
- Git commit histories
- Exploit mechanisms
- Mitigation guidance

As a CVE Numbering Authority, curl self-assigns identifiers. One week before release, distros@openwall gets confidential previews for downstream packaging. On launch day, CVEs publish alongside code drops, HackerOne reports disclose publicly, and the Internet Bug Bounty pays researchers based on severity.

The Human Firewall

This machine runs on volunteer rigor:

"The heroes work in silence without much ado"
– Daniel Stenberg

Current security team members include Max Dymond, Dan Fandrich, Daniel Gustafsson, James Fuller, Viktor Szakats, Stefan Eissing, and Stenberg himself. Their cadence? An eight-week release cycle ensures no vulnerability languishes beyond 56 days.

Why Transparency Wins

By publishing every HackerOne report post-resolution, curl sets a benchmark in vulnerability transparency. This approach—balancing operational secrecy with full disclosure—fortifies trust in open-source ecosystems. For projects handling critical infrastructure, curl’s workflow offers a masterclass in scaling security without sacrificing velocity.

Source: Daniel Stenberg's blog