Curl will not accept vulnerability reports during July 2026

a13n

what a fantastic advertisement

zarzavat

> > The bad guys won’t rest > Probably not. But we will. A pleasant dose of humanity in decidedly inhuman times.

ubanholzer

This is great. Good decision.

vortegne

Wish them nothing but good rest!

maxbond

Atlas shrugged, but only for a month. I kid, it's well deserved. I do worry about their contract work loophole - if people disclose vulnerabilities publicly, their clients may pressure them to ship a fix anyway.

intronic

down-under says: enjoy your summer :)

flaburgan

I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further. The fact that they actually keep providing support to paying users is enough.

patates

For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me. Signed: Former workaholic.

laszlojamf

as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...

rustyhancock

A curious approach, but I like it! Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)

low_tech_love

I read one sentence into this and knew directly that the developer must’ve been Swedish!

tempay

For anyone who thinks this might matter for security: * curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.

NietTim

Properly euromaxxing, this is the way.

vessenes

The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!

okeuro49

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

fnoef

Based! Amazing approach, enjoy the vacation!

cat_plus_plus

SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!

napolux

Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D

eviks

> Contracts excluded They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it

shevy-java

So it is holiday season. I thought this was due to AI slop spam before I read the blog entry.