Curl will not accept vulnerability reports during July 2026

The cURL project, a foundational component of the internet, has announced a radical decision: it will not accept or process any vulnerability reports throughout July 2026. Dubbed the 'curl summer of bliss,' this initiative aims to give its maintainers a much-needed respite from the relentless pressure of security patching and support.

• Vulnerability Blackout: From July 1 to August 3, 2026, cURL's HackerOne submission form will be paused, and its security email address will not be monitored for new reports.
• Maintainer Well-being: The primary goal is to allow the maintainers to take a real vacation, relax, and combat burnout after experiencing a significant deluge of security issues in the preceding months.
• Operational Impact: As a direct consequence, the release date for cURL version 8.22.0 will be pushed back by two weeks, now scheduled for September 2, 2026.
• Continued Activity: Standard development work on GitHub, including general issue tracking and pull requests, will continue as normal.
• Contract Exceptions: Projects with paid support contracts will continue to receive full service, indicating that the 'blackout' primarily affects public, unpaid vulnerability submissions.
• Aspirational Message: The project encourages other open-source initiatives to consider similar actions, emphasizing self-care as a top priority for developers.
• Risk Acknowledgment: While acknowledging that 'the bad guys won't rest,' cURL states that non-contracted emergency issues will simply have to wait until August for review.

This bold step by cURL underscores a growing concern within the open-source community regarding maintainer sustainability and the immense, often uncompensated, burden placed upon individuals responsible for widely used software.