Curl will not accept vulnerability reports during July 2026

The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!

> > The bad guys won’t rest

> Probably not. But we will.

A pleasant dose of humanity in decidedly inhuman times.

For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.

Signed: Former workaholic.

as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...

I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further. The fact that they actually keep providing support to paying users is enough.

For anyone who thinks this might matter for security:

* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.

> Contracts excluded

They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it

I read one sentence into this and knew directly that the developer must’ve been Swedish!

Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D

This is great. Good decision.

what a fantastic advertisement

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

Properly euromaxxing, this is the way.

Based! Amazing approach, enjoy the vacation!

Wish them nothing but good rest!

down-under says: enjoy your summer :)

I heartily endorse the Fuck You Pay Me support process.

So it is holiday season.

I thought this was due to AI slop spam before I read the blog entry.

SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!

Atlas shrugged, but only for a month. I kid, it's well deserved. I do worry about their contract work loophole - if people disclose vulnerabilities publicly, their clients may pressure them to ship a fix anyway.

> I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week

I wonder what is there to work on curl 50 hour weeks for 7 years?

A curious approach, but I like it!

Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)