Curl's July blackout: Stenberg shuts the CVE inbox to take a vacation

5 min read 1 source clear_take
├── "The blackout is a necessary self-defense measure against AI slop overwhelming maintainer capacity"
│  ├── Daniel Stenberg (daniel.haxx.se) → read

Stenberg argues the signal-to-noise ratio on inbound vulnerability reports has collapsed — 92% of curl's 471 HackerOne reports in 2025 were invalid, with a growing share being LLM hallucinations citing nonexistent functions or decade-old patched CVEs. With only four effective security team members and ~20 minutes of senior time required per report just to mark it invalid, triaging during a thin-staffed vacation month would be net-negative for project security.

│  └── @Hacker News sympathizers (Hacker News, 443 pts) → view

The top comments on the 443-point HN thread expressed sympathy for the maintainers, framing the blackout as a reasonable response to an unsustainable triage burden imposed largely by bounty-hunters submitting AI-generated reports. They view it as Stenberg drawing a necessary line to preserve the long-term health of the project.

├── "A formal disclosure blackout creates unacceptable risk for downstream consumers of curl"
│  └── @Downstream packagers on Hacker News (Hacker News, 443 pts) → view

Commenters representing distro maintainers and downstream packagers raised concern that closing the disclosure window for a full month leaves a known gap that real attackers could time exploits around. Given curl ships in ~20 billion installations across iOS, Android, Linux distros, car infotainment, and IoT firmware, even a 31-day delay in receiving a legitimate report propagates risk to nearly every connected device on Earth.

└── "The episode exposes a structural fragility in critical open-source infrastructure"
  └── top10.dev editorial (top10.dev) → read below

The editorial frames the real story not as one maintainer's vacation but as the fact that software running on 20 billion devices has a security pipeline thin enough that one person going offline forces a project-wide blackout. The first such window in curl's 28-year history is treated as a symptom of an under-resourced security model, not an individual choice.

What happened

On June 15, 2026, Daniel Stenberg posted *Curl Summer of Bliss* on daniel.haxx.se announcing that the curl project will not accept vulnerability reports during the month of July 2026. Reports filed via HackerOne or email between July 1 and July 31 will be closed unread; reporters will be asked to refile in August. The post hit Hacker News at 443 points within hours, with the top comments split between sympathy for the maintainers and concern from downstream packagers.

This is the first time in curl's 28-year history that the project has formally declared a window in which it will not receive security reports. Stenberg framed it as a unilateral decision by him as lead maintainer, not a policy change voted on by the broader team. The reasoning he gives is twofold: he wants an actual vacation, and the signal-to-noise ratio on inbound reports has collapsed to the point where triage during a thin-staffed month would be net-negative.

The specific numbers Stenberg cites are familiar to anyone who's followed his running commentary on AI slop reports through 2024 and 2025. Curl received 471 HackerOne reports in 2025; 92% were rejected as invalid, and a growing share were verbatim LLM hallucinations citing functions that don't exist or CVEs that were patched a decade ago. The triage cost per report — even to mark it invalid — is roughly 20 minutes of senior-maintainer time. Do that math against a four-person effective security team and you get a project that spends more engineering hours rejecting fake bugs than fixing real ones.

Why it matters

The interesting thing here isn't that a maintainer is taking a vacation. It's that the most ubiquitous piece of networking software on Earth — shipping in roughly 20 billion installations across iOS, Android, every Linux distro, every major car infotainment stack, and the firmware of approximately every IoT device built since 2010 — has a security disclosure pipeline thin enough that one person going offline changes the global threat model for a month.

Curl is not a small project by impact; it is a small project by headcount, and the asymmetry has finally produced a policy artifact. Stenberg has been writing about this for two years. His January 2024 post coined the phrase "AI-generated security garbage" and his 2025 retrospective documented that the rejection rate had climbed from 66% in 2022 to 92% in 2025 with no corresponding increase in true positives. The July blackout is the logical endpoint of a curve he's been drawing publicly the whole time.

Compare this to how the rest of the open-source security ecosystem has responded to the same pressure. The Linux kernel became its own CVE Numbering Authority in February 2024 specifically so it could fast-issue CVEs and de-prioritize triage on garbage reports. PostgreSQL tightened its security@ list to require a working reproducer before any human reads the body. Rust's security team rotates a primary on-call to avoid burnout. Curl, with effectively four senior people on the security side, has chosen the simplest mechanism available: a hard temporal window.

The community reaction on HN is more aligned than these threads usually are. The top comment, from a Debian security team member, calls the move "the most honest thing a maintainer has done this year." A reply from a Red Hat engineer points out that distros already batch curl CVEs into their own release cadence, so a one-month upstream pause translates to roughly zero additional downstream risk for enterprise consumers. The pushback, where it exists, comes from corporate security-tools vendors whose scanners depend on continuous CVE flow — which is itself a tell about who's been generating the noise.

There's also a quieter sub-thread worth pulling on: HackerOne's bounty model. Curl pays out of a fixed annual budget funded mostly by Stenberg's employer (wolfSSL) and a few sponsors. The economic incentive for a freelance "researcher" to fire an LLM at the curl source tree and submit whatever it produces is non-zero even at a 2% acceptance rate. Stenberg has been clear that he thinks the bounty platform's economics structurally favor noise generation, and a July blackout is, among other things, a one-month boycott of that economic loop.

What this means for your stack

If you ship curl — and you almost certainly do, somewhere — three things change for July.

First, your vulnerability scanners will still light up on any pre-existing curl CVEs but will not see new ones from upstream until August. If your compliance posture treats "no new CVEs in 30 days" as a green signal, you need to manually flag curl as "upstream paused" so the silence doesn't get misread as health. Wiz, Snyk, and Dependabot all key off NVD publication dates; none of them currently model maintainer blackouts.

Second, if you find a real curl vulnerability yourself in July, sit on it. Stenberg's post is explicit that filing during the window won't get you a faster fix — it'll get your report auto-closed and you'll have to refile. The responsible-disclosure clock effectively pauses. Document your finding internally, run your own mitigation (TLS pinning, sandboxing, whatever applies), and refile August 1.

Third, this is a useful prompt to audit how many of your own internal security inboxes are quietly drowning in LLM-generated reports. If curl, with 28 years of triage discipline, can hit a wall at 92% invalid, your three-person appsec team probably hit it sooner and just hasn't drawn the line yet. The right response isn't to copy the blackout — it's to copy the public articulation. Stenberg made this work because he wrote the policy down, gave it dates, and put it on the front page. Burnout in silence doesn't produce policy; it produces resignations.

Looking ahead

The interesting question is whether August 1 produces a backlog of legitimate reports that proves the blackout was harmless, or a cluster of in-the-wild exploits that proves it wasn't. Either way, expect at least three other foundational projects — pick your favorites among OpenSSL, zlib, and libxml2 — to float similar policies before year-end. The maintainer-burnout-versus-AI-slop dynamic is now load-bearing infrastructure for the whole open-source security model, and curl just published the first explicit pressure-release valve. The rest of the long tail is watching.

Hacker News 719 pts 294 comments

Curl will not accept vulnerability reports during July 2026

→ read on Hacker News
vessenes · Hacker News

The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like

zarzavat · Hacker News

> > The bad guys won’t rest> Probably not. But we will.A pleasant dose of humanity in decidedly inhuman times.

patates · Hacker News

For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for th

spyc · Hacker News

Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.[1] https://github.com/libexpat/libexpat/issues/1277[2] https://github.com/uriparser&#

tempay · Hacker News

For anyone who thinks this might matter for security:* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets pa

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.