alt Hacker NewsCurl will not accept vulnerability reports during July 2026
Comments
> > The bad guys won’t rest
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.
Signed: Former workaholic.
Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.
For anyone who thinks this might matter for security:
* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further. The fact that they actually keep providing support to paying users is enough.
as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
What this shows me (again) is that the whole system where vulnerabilities need to be constantly discovered, reported, analyzed, then patched, then the new version distributed to every singe user - again and again - is quite obviously unsustainable. The industry must come up with some alternative system for dealing with bugs and security issues. Currently the industry prefers to play dumb and turn its own failures into a profit (rent seeking) opportunity.
Here's your reminder that 20-30 days paid vacation plus unlimited sick days (3+ days needs a doctor's note) is normal in Europe (e.g. Germany).
If you get sick during vacation, you get those vacation days "refunded" back. If you suddenly are called in to work, somehow, during vacation, that time cannot be vacation time.
You can't (generally) be fired without a notice period, resulting in job security to such a degree that ~6k in an emergency fund is plenty to be VERY secure, as you also get unemployment support otherwise anyway. Does this result in incompetent people not getting fired? No. You still fire them, you just have to deal with them another month after that. It's not a big price to pay.
How is this all possible? Who subsidizes it? We all simply pay some % of our income to support this system. That's it. A couple percent, a couple bucks, and we get to basically never worry about starving or becoming homeless.
You can have this, too, if you vote and protest and use democracy to make life better, not worse, for everyone.
I read one sentence into this and knew directly that the developer must’ve been Swedish!
>> The bad guys won’t rest > Probably not. But we will.
This is Exceptional. Perfect EuroMaxxing
With more advance notice, someone could have found resources to fork curl with different vulnerability management expectations, e.g., "will not accept or otherwise handle any vulnerability reports during the month beginning 21 December 2026. We call it The Winter of Our Discontent."
Why is curl catching so many security issues?
I can see something like nginx being in that spot but curl is primarily user initiated and pointed at a known target rather than internet facing accepting connections
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
This is great. Good decision.
Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D
If employees are never truly unavailable then companies WILL become overly dependent on them.
what a fantastic advertisement
Today is Jun 15. So, I wonder if somebody + AI can rewrite curl in Rust in 1.5 months. I think it's possible if that person knows all curl features. However, does that person even exist?
Properly euromaxxing, this is the way.
> Contracts excluded
They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it
Wish them nothing but good rest!
Based! Amazing approach, enjoy the vacation!
Great to see this stance
Good for them & haxx!
down-under says: enjoy your summer :)
I heartily endorse the Fuck You Pay Me support process.
So it is holiday season.
I thought this was due to AI slop spam before I read the blog entry.
Atlas shrugged, but only for a month. I kid, it's well deserved. I do worry about their contract work loophole - if people disclose vulnerabilities publicly, their clients may pressure them to ship a fix anyway.
SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!
> I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week
I wonder what is there to work on curl 50 hour weeks for 7 years?
A curious approach, but I like it!
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!