Curl will not accept vulnerability reports during July 2026

The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!

Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.

[1] https://github.com/libexpat/libexpat/issues/1277

[2] https://github.com/uriparser/uriparser/issues/323

> > The bad guys won’t rest

> Probably not. But we will.

A pleasant dose of humanity in decidedly inhuman times.

For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.

Signed: Former workaholic.

I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further. The fact that they actually keep providing support to paying users is enough.

For anyone who thinks this might matter for security:

* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.

as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...

What this shows me (again) is that the whole system where vulnerabilities need to be constantly discovered, reported, analyzed, then patched, then the new version distributed to every singe user - again and again - is quite obviously unsustainable. The industry must come up with some alternative system for dealing with bugs and security issues. Currently the industry prefers to play dumb and turn its own failures into a profit (rent seeking) opportunity.

Why is curl catching so many security issues?

I can see something like nginx being in that spot but curl is primarily user initiated and pointed at a known target rather than internet facing accepting connections

I read one sentence into this and knew directly that the developer must’ve been Swedish!

>> The bad guys won’t rest > Probably not. But we will.

This is Exceptional. Perfect EuroMaxxing

With more advance notice, someone could have found resources to fork curl with different vulnerability management expectations, e.g., "will not accept or otherwise handle any vulnerability reports during the month beginning 21 December 2026. We call it The Winter of Our Discontent."

Here's your reminder that 20-30 days paid vacation plus unlimited sick days (3+ days needs a doctor's note) is normal in Europe (e.g. Germany).

If you get sick during vacation, you get those vacation days "refunded" back. If you suddenly are called in to work, somehow, during vacation, that time cannot be vacation time.

You can't (generally) be fired without a notice period, resulting in job security to such a degree that ~6k in an emergency fund is plenty to be VERY secure, as you also get unemployment support otherwise anyway. Does this result in incompetent people not getting fired? No. You still fire them, you just have to deal with them another month after that. It's not a big price to pay.

How is this all possible? Who subsidizes it? We all simply pay some % of our income to support this system. That's it. A couple percent, a couple bucks, and we get to basically never worry about starving or becoming homeless.

You can have this, too, if you vote and protest and use democracy to make life better, not worse, for everyone.

This is great. Good decision.

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D

what a fantastic advertisement

Today is Jun 15. So, I wonder if somebody + AI can rewrite curl in Rust in 1.5 months. I think it's possible if that person knows all curl features. However, does that person even exist?

> Contracts excluded

They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it

Properly euromaxxing, this is the way.

Wish them nothing but good rest!

Based! Amazing approach, enjoy the vacation!

Good for them & haxx!

Great to see this stance

An evil way to extort money via support contracts.

down-under says: enjoy your summer :)

I heartily endorse the Fuck You Pay Me support process.

So it is holiday season.

I thought this was due to AI slop spam before I read the blog entry.

SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!

> I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week

I wonder what is there to work on curl 50 hour weeks for 7 years?

A curious approach, but I like it!

Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)

Signed: Former workaholic.

This is great. Good decision.

what a fantastic advertisement

Wish them nothing but good rest!

down-under says: enjoy your summer :)

> > The bad guys won’t rest

> Probably not. But we will.

A pleasant dose of humanity in decidedly inhuman times.

That was just a beautiful, period.

I wonder what is there to work on curl 50 hour weeks for 7 years?

The site you got that quote from is in fact a blog where some of your questions might find answers.

That was just a beautiful, period.

The site you got that quote from is in fact a blog where some of your questions might find answers.

>> The bad guys won’t rest > Probably not. But we will.

This is Exceptional. Perfect EuroMaxxing

Here's your reminder that 20-30 days paid vacation plus unlimited sick days (3+ days needs a doctor's note) is normal in Europe (e.g. Germany).

If you get sick during vacation, you get those vacation days "refunded" back. If you suddenly are called in to work, somehow, during vacation, that time cannot be vacation time.

You can have this, too, if you vote and protest and use democracy to make life better, not worse, for everyone.

Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D

Great to see this stance

Based! Amazing approach, enjoy the vacation!

Properly euromaxxing, this is the way.

Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.

[1] https://github.com/libexpat/libexpat/issues/1277

[2] https://github.com/uriparser/uriparser/issues/323

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

So it is holiday season.

I thought this was due to AI slop spam before I read the blog entry.

Good for them & haxx!

I heartily endorse the Fuck You Pay Me support process.

I read one sentence into this and knew directly that the developer must’ve been Swedish!

For people who aren’t familiar, Sweden takes summer holidays seriously. 25-30 days + public holidays is a normal amount of annual vacation time, and if an employee requests it and has the time available, it’s basically legally required to allow them to take a four-week contiguous summer break.

(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)

Yup, same thought in Norwegian. Norway basically shuts down during July.

Hahaha yeah same here! My $dayjob has offices in Sweden and their summer breaks are legendary. We also have offices in the US, and the culture shock with the Americans never gets old

I knew instantly that it's him. No one is even remotely as hungry for attention as him.

What's the better solution?

Also, what's an example of this rent seeking in open source you're talking about?

I think you're right, and the solution is security through compartmentalization. See: https://qubes-os.org.

> Contracts excluded

They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it

Curl has a ton of features, I can imagine this means fixing small fraction of the vulns affecting only the supporters.

I liked the idea as well, maybe OSS should adopt 6 months availability and 6 months for enterprise support schedule. This way both could benefit, OSS gets more funding, enterprise gets support (cheaper than hiring full-time employee for specific OSS)

Here I was thinking that cURL's (non-existent) enterprise support contracts were a polite way to tell brain-dead paper pushers to GTFO: https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquir...

It's an extremely un-European approach. European companies normally ignore their paid customers too from May to August.

For anyone who thinks this might matter for security:

> if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co

No, that is the point, they are not going to accept your vuln report. They are taking a holiday.

> curl is mature enough that the chance of an impactful bug is basically zero

Curl is also something that should be thoroughly sandboxed to begin with, because even if there are no vulnerabilities in curl itself, its a tool for downloading arbitrary data over the internet, and you may well accidentally trigger vulnerabilities in every other part of your environment just by downloading arbitrary data to your shell...

Why is curl catching so many security issues?

I can see something like nginx being in that spot but curl is primarily user initiated and pointed at a known target rather than internet facing accepting connections

curl isn't more prone to security issues, it's just being talked about more. Daniel has an active blog, is active on social media, and interacts with the community. I don't think the nginx team has that presence, hence if they take a vacation or run mythos on their codebase or have an opinion about AI nobody really knows.

It presumably runs in a gazillion scripts.

An evil way to extort money via support contracts.

...so open source developers should know their place and just dedicate themselves to endless, unpaid toil forever and ever, amen?

A curious approach, but I like it!

Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)

I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.

It would certainly be irresponsible.

The responsible thing would have been to simply wait another month, considering you've been warned about the delay.

Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.

Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.

Naturally some people find that this offensive since this puts a price to that “bliss”.

Today is Jun 15. So, I wonder if somebody + AI can rewrite curl in Rust in 1.5 months. I think it's possible if that person knows all curl features. However, does that person even exist?

curl used to have rust in it, dropped it 1.5 yrs ago. AI doesn't help with the hard parts here i don't think. https://daniel.haxx.se/blog/2024/12/21/dropping-hyper/

If that were possible it would already have been done.

There are projects like this: urlx, curlio.

Yup, same thought in Norwegian. Norway basically shuts down during July.

Here I was thinking that cURL's (non-existent) enterprise support contracts were a polite way to tell brain-dead paper pushers to GTFO: https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquir...

I think you're right, and the solution is security through compartmentalization. See: https://qubes-os.org.

Hahaha yeah same here! My $dayjob has offices in Sweden and their summer breaks are legendary. We also have offices in the US, and the culture shock with the Americans never gets old

I knew instantly that it's him. No one is even remotely as hungry for attention as him.

If that were possible it would already have been done.

curl used to have rust in it, dropped it 1.5 yrs ago. AI doesn't help with the hard parts here i don't think. https://daniel.haxx.se/blog/2024/12/21/dropping-hyper/

They dropped the hyper backend, but that wasn’t the only Rust code in tree.

(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)

Curl has a ton of features, I can imagine this means fixing small fraction of the vulns affecting only the supporters.

> if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co

No, that is the point, they are not going to accept your vuln report. They are taking a holiday.

It's an extremely un-European approach. European companies normally ignore their paid customers too from May to August.

What's the better solution?

Also, what's an example of this rent seeking in open source you're talking about?

It would certainly be irresponsible.

The responsible thing would have been to simply wait another month, considering you've been warned about the delay.

Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.

> curl is mature enough that the chance of an impactful bug is basically zero

Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.

Naturally some people find that this offensive since this puts a price to that “bliss”.

It presumably runs in a gazillion scripts.

...so open source developers should know their place and just dedicate themselves to endless, unpaid toil forever and ever, amen?

Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).

Ditto Australia: https://www.fairwork.gov.au/leave/annual-leave

  Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.

This is normal in most countries apart from the contiguous break requirement.

I work for a UK company and most people take basically all of August off (I end up with two months of vacation days a year so I take August off and sprinkle some leave around the year) and I can confirm that taking a month off is great. You forget what it's like to work, really.

I thought it's basically the same in all of EU?

nice idea to time vacation in the summar, right around major security conferences (blackhat, defcon, etc), when large bulk of CVEs get published, to put some fire under the enterprise butts

Until someone races to the bottom to do 12 months of availability.

Why would you imagine they have any clue about the area of effect if they ignore the report?

Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.

There's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.

Incorrect. In europe, either july or august, is the informally agreed upon "vacation month" which means that both customers and vendors scale down and go on vacation, and work slows down to very low levels. That means you need a lot less employees than usual in order to provide for the customers that do not go on vacation.

I mean, looking at most us company's.. What support?

ignore is not the right word.

> What's the better solution?

IMO Writing correct software the first time around - so formal methods.

But the tooling isn't there yet (though lightweight versions, e.g. strong type systems like rust's, are and significantly reduce the security issue load).

the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.

Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.

curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.

Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".

And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.

Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.

There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.

There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.

Wrong, but thanks for documenting how uncooperative you are.

I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.

Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.

I think I'd personally develop a minimal patch and then publically disclose.

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.

They dropped the hyper backend, but that wasn’t the only Rust code in tree.

This is normal in most countries apart from the contiguous break requirement.

nice idea to time vacation in the summar, right around major security conferences (blackhat, defcon, etc), when large bulk of CVEs get published, to put some fire under the enterprise butts

I thought it's basically the same in all of EU?

I mean, looking at most us company's.. What support?

Why would you imagine they have any clue about the area of effect if they ignore the report?

Wrong, but thanks for documenting how uncooperative you are.

> What's the better solution?

IMO Writing correct software the first time around - so formal methods.

But the tooling isn't there yet (though lightweight versions, e.g. strong type systems like rust's, are and significantly reduce the security issue load).

Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".

And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.

the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.

Ditto Australia: https://www.fairwork.gov.au/leave/annual-leave

  Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.

Yeah, but there's little culture of actually taking that time.

Sweden is fairly unique in allowing the employee to take a 4 week break. Is Australia the same?

2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't

Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).

There's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.

Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.

Until someone races to the bottom to do 12 months of availability.

ignore is not the right word.

curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.

There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.

There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.

I think I'd personally develop a minimal patch and then publically disclose.

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.

Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.

To be fair, at least in Spain, things get really slow during the summer, basically from May to the end of August, even if "officially" everything is just "slow and closed" during August. During August, anything productive is basically impossible to get done, the months around are still slower than the rest of the year.

Of course, "European companies normally ignore their paid customers too from May to August" is factious, but there is a slight hint of truth in there, in that things generally is slower, at least in the South/West countries I'm more familiar with.

Vacation months*, plural. All project timelines were aligned to wrap up important things by the end of May. June is still operational but mostly focused on reporting, shaping and generally preparing for September when (mostly) everyone will be back, refreshed and ready for new adventures.

Kinda like how the aerospace industry basically shuts down for the month of December.

This might not be true for Sweden, but Denmark have an interesting rule that makes contacting people in their vacation fairly expensive. If I'm asked to change my plans, my employer needs to compensate me financially. If you get a call and need to work for 30 minutes, then you are entitled to a full replacement day, not just the 30 minutes. For some jobs, interrupting people on vacation simply isn't allowed.

Curl maintainers are clearly going to still be using computers to provide support for paid customers.

But the message is pretty clear: if you’re not a paid customer, you are not getting patches or support from upstream during this month.

Plan accordingly.

Not if it's a real vacation. If it was me then there would be no way I'd log in. Maybe this will increase the sales of support contracts.

That’s great! It’s very much not the norm here in general tho, in my experience two weeks would be the max people would take off contiguously.

Wow literally never heard of people taking 4 weeks off in the UK. Is this a new thing to deal with child care in the summer holidays?

Is this at the executive level?

I wonder if the likes of Red Hat, SuSE and Canonical have a support contract as they are commercial redistributors.

Races to the bottom to … do work exclusively for free and not make any money out of the hopes that they become the most popular OSS toolkit, with an end goal of … what?

A race to the bottom of… unpaid work that eliminates the paid work? Can you elaborate?

then it is up to community to fork the project if they find it valuable and can convince people migrating to their fork.

many engineers actually work that way, right? We are employed for 12 months and give our availability fully to the company and we get salary for it, why isn't it allowed to others?

Isn't that what we have already?

That’s just the status quo.

Please go ahead and fork curl

Ah yes, people will just be clamoring to use hURL

In Poland smaller companies tell you outright: this and that person is on vacation, but plese call back in 2 weeks. Bigger companies will often ignore you and drag your problem through the vacation time.

curl is only the sandbox if you don't then do anything with the byte stream.

Pipe it to bash? game over

Pipe it to less/more? Better hope your distro keeps those patched

Open the file in a browser or PDF reader? Hey, look at all this shiny new attack surface!

Sweden is fairly unique in allowing the employee to take a 4 week break. Is Australia the same?

2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't

Some employers "force" their employees to use a portion of their annual leave during the Christmas / New Year shutdown period (usually 24 December -> first full week after New Years Day, if not longer). So you might not be able to use the full 4 weeks continuously.

This can be an unwelcome feature for some people, for example, if you want to have a vacation in the northern hemisphere summer season instead and/or maybe you don't have substantial family in Australia (or at least, those you actually want to see).

The auscorp reddit has a yearly thread on this issue: https://www.reddit.com/r/auscorp/comments/1mw6pqt/end_of_yea...

Those with school aged children might also want to save some of their annual for the mid-term/mid-year breaks as well. (Our academic years are aligned to calendar years)

Likely varies by industry - a peer Australian (probably in private IT ?) stated it's uncommon to take a break, whereas I'd say in mining, oil, gas, civil service, police and a good number of structured contract employment its more common.

I've "retired" into agriculture and a lot of farmers take a month off after harvest time to go fishing or other wise relax (this generally means filling up a couple of deep chest freezers with fish for the rest of the year).

In Germany your employer has to grant you two consecutive weeks of vacation by law, and vacation is very rarely denied, even for 3–4 weeks breaks.

Yeah, but there's little culture of actually taking that time.

Kinda like how the aerospace industry basically shuts down for the month of December.

Not if it's a real vacation. If it was me then there would be no way I'd log in. Maybe this will increase the sales of support contracts.

Curl maintainers are clearly going to still be using computers to provide support for paid customers.

But the message is pretty clear: if you’re not a paid customer, you are not getting patches or support from upstream during this month.

Plan accordingly.

That’s great! It’s very much not the norm here in general tho, in my experience two weeks would be the max people would take off contiguously.

Wow literally never heard of people taking 4 weeks off in the UK. Is this a new thing to deal with child care in the summer holidays?

Is this at the executive level?

That’s just the status quo.

Isn't that what we have already?

Please go ahead and fork curl

I guess our experiences vary - our family had month long adventure vacations most years since the 1970s, and growing up we did a half year tour about the whole country when dad got cumulative long service year.

Time to start looking for a work visa.

Races to the bottom to … do work exclusively for free and not make any money out of the hopes that they become the most popular OSS toolkit, with an end goal of … what?

Validation, often. Stars and installs make self-worth integer go up, etc.

Greed, sometimes. Gotta get those usercounts high to get acquihired / to sell out / to flip on the paid subs for formerly free features.

I can’t remember the word for “prosocial through lowering cost to zero” is but sometimes that too.

End goal of complaining that no one pays for their efforts.

Hacker Times

Hacker Times

Curl will not accept vulnerability reports during July 2026

Discussion

Discussion

Vacation for real

Side-effects

Vulnerability rate

GitHub

You too?

The bad guys won’t rest

But what if there is an emergency

Contracts excluded

Credits

Discussed

Post navigation