curl Summer of Bliss: Vulnerability Reporting Paused for July 2026

curl pauses vulnerability reports for July 2026

The curl project will not accept or process any vulnerability reports from July 1, 2026 (00:00 CEST) to August 3, 2026 (09:00 CEST). This period, termed the "curl summer of bliss," is a planned hiatus for maintainers to recover from significant workload pressure experienced over the preceding four months.

During this window, the following channels will be inactive:

• HackerOne: The curl submission form will be paused.
• Security Email: The dedicated security email address will not be monitored or processed.

General GitHub issue and pull request trackers will remain open and active. Submissions for vulnerability reports will resume on Monday, August 3, 2026.

Impact on Release Schedule and Support

To accommodate the backlog of issues expected to accumulate during the hiatus, the release of curl 8.22.0 has been pushed back two weeks to September 2, 2026.

Paid Support Contracts

Paid support contracts are excluded from this pause. Organizations and individuals with a paid support contract will continue to receive full and appropriate security services and vulnerability handling during the month of July.

Rationale and Maintainer Well-being

Project lead Daniel M. Haxx noted that the maintainers have been under "huge pressure" for several months and require rest to avoid burnout. He encouraged other open-source project maintainers to prioritize their own well-being and adopt similar "summer of bliss" practices.

Community Perspectives and Analysis

The announcement sparked significant discussion among the developer community regarding the sustainability of open-source maintenance.

Sustainability and Funding

Some community members expressed concern that the project's reliance on a small number of individuals creates a systemic risk. One commenter noted:

"...this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free with no backup... It's a weird, IMO unhealthy, twilight zone that isn't good for anybody."

The "Support Contract" Model

Observers viewed the move as both a practical necessity and a strategic incentive for enterprise support. By maintaining service for paid contracts while pausing public reports, curl provides a clear value proposition for organizations that cannot afford a month of security silence.

Security Implications

Some argued that the pause is low-risk due to the curl project's maturity. One contributor suggested that the likelihood of an impactful bug appearing during this specific window is low, and that upstream releases can wait while package managers handle critical patches if necessary.

Industry Ripple Effects

Following curl's lead, other projects including libexpat (Expat) and uriparser announced they would also follow the "curl security vacation" and pause vulnerability reports until August 1, 2026.