The curl project will not accept or otherwise handle any vulnerability reports during the month of July 2026. We call it the curl summer of bliss.
Vulnerability rate
As previously mentioned, we have been under a huge pressure for the last four months or so. Now we need some rest. We do not expect this deluge to be over
Call me crazy, but this seem like a terrible idea. Especially announcing it two week early, you give every malicious attacker a head-up : “curl will not be patched in July”, start finding 0-days now.
Also, it’s not like they would have stopped releasing new code one month before and therefore all new vulns could (theoretically) been found, they are going to release a new version 8 days before their vacation.curl - Release Table
Everyone needs vacations, but this feels like abandoning your post. There should always be one person in standby. Rotate your teams so everyone gets vacation but the project is never left without surveillance.
Long term health of the project is more important, and the devs definitely deserve a vacation. If you can’t take the risk, stop using curl until August release patches the holes. Or the very least, offer them a lucrative support contract that makes it worth their while to pause that vacation.
tbh I do understand the other side also that announcing that you’re pausing security vulnerabilities may get hackers (especially black hat) to go all out on finding vulnerabilities and exploiting devices using curl all round so.
Maybe im at least hoping that severe or critical vulnerabilities get taken seriously
response to @maqp and @EsperZero . No one is forcing anyone to work on Curl, so I don’t get the ‘enslavement’ narrative. As I said, there are probably multiple maintainers so they can just put one of them in standby while other take vacation and rotate that way.
Also, I will reiterate that I don’t get why they have to take vacation all at the same time. The reason you create a project with an institution is precisely so it doesn’t rest on the shoulder of one maintainer. That also means you should get the benefit of both being humane (allowing off-time) and being reliable (having off-time for devs without abandoning the project).
And again, even if you were to do such a thing, don’t announce it in advance… And don’t release a new version a week prior.
If curl is really important to you, you can sign service contract (pay), and you’ll get support, probably vulnerability fix if it happens during this time.
I think this is good way to tell billion dollar companies they should spend some money on software they’ve been using for free or asign their own stuff to fix things
As you said, nobody is working for curl. This isn’t a product by a company. The best you can say is “if it so happens that someone isn’t taking a vacation in July, they might see if they have energy to fix it”. But it’s the developers’ business when they take vacation, and if it happens that it’s all during July, then it’s fair they let people know about it beforehand.
even if you were to do such a thing, don’t announce it in advance…
That’s security through obscurity. Exploits are being looked for anyway, eight days a week. The reason you let people know about the downtime, is those who rely on it for security can abstain from using it. They absolutely don’t want to learn about the downtime and why they were pwned in posterior if it could’ve been avoided.
But, unless you’re stepping up to help them start a sustainable non-profit around the project that can offer continuous vulnerability patching, this critique unfortunately falls into the choosing beggars category.