The curl project is pausing all vulnerability reports for July 2026, citing the need for a vacation due to intense pressure from the AI-generated submissions. Only paid support contracts will retain access.

The open source project curl won’t accept or handle any reports on Hackerone between July 1st and August 3rd, 2026, calling it the “summer of bliss.” Curl won’t accept any email submissions even after the vacation.

Curl is one of the most widely used libraries for data transfer on the internet, built into billions of devices and apps, as well as a standalone command-line tool.

The move signals a shift in open source maintainers' attitudes toward security reports, which just a few years ago were treated as drop-everything emergencies. For a while now, Daniel Stenberg, creator of the utility, has complained about the overwhelming flood of AI-generated submissions.

He acknowledges that the quality of AI-generated reports has been improving from “stupid AI slop” to “reports that identify a bug, meaning that they aren’t vulnerabilities but still some kind of problem.”

However, the volume of the reported issues has been overwhelming. Stenberg estimates that the rate of reports doubled this year from 2025, which was already more than double previous years' rates, despite curl having discontinued its bug bounty program earlier this year.

“Now we need some rest. We do not expect this deluge to be over,” Stenberg said in the latest blog post.

“The curl maintainers will use this time of less pressure to take in some extra air and to enjoy the summer. Maybe stroll outside a bit more. Breathe. Some of us may spend some of this time to see other places.”

The announcement likely doesn’t necessarily mean that curl won’t fix any critical issues if they arise. Also, curl’s issue and pull-request trackers remain open on GitHub. Stenberg also notes that paid support contracts still get full service during the break.

Stenberg also announced a delay of the curl 8.22.0 release, which is being pushed back two weeks, scheduled for September 2nd, 2026.

Cyber pros appear to agree with this approach. Cybersecurity community members on Reddit noticed that curl handled 19 reports in 15 days on HackerOne, and nearly all of them were of no or little value, written by AI agents. The last resolved report, which is not categorized as “not-applicable,” “informative,” or duplicate, was from over two months ago.

Other projects are joining

Stenberg also believes that other open source maintainers should prioritize their own well-being, suggesting taking a vacation as well.

“If you and your open-source projects also want to participate in the summer of bliss 2026, just do it and let us know! I would of course encourage you to do so,” his blog post reads.

The author acknowledges that bad actors won’t take a break.

“But we will,” Stenberg said bluntly.

Some open-source projects have already announced they will be joining the vacation.

Sebastian Pipping, maintainer of the libexpat XML parser, said their break began on Monday and that they will not accept new vulnerability reports until August 1st. Instead, they’ll continue working on known unfixed vulnerabilities and the upcoming releases.

---

Unlock more exclusive Cybernews content on YouTube.