Curl will not accept vulnerability reports during July 2026

Original Article ↗ Hacker News Discussion ↗

Overall reaction

  • Many commenters support curl maintainers taking a month off from vulnerability handling, calling it healthy, humane, and overdue.
  • Some see it as clever messaging that simultaneously normalizes vacation and advertises commercial support.
  • A few think it’s “curious” or risky, but still accept the need for a break.

Paid support and “fix it yourself”

  • Strong emphasis that curl is free software with no warranty; users needing guarantees should buy a support contract.
  • Multiple people stress that, with source available, organizations can:
    • Patch issues themselves.
    • Maintain a temporary fork.
    • Upstream patches later.
  • Others respond that long‑term maintenance of forks and integration across the ecosystem can be costly and impractical.

Security & disclosure concerns

  • Some worry attackers will exploit the “quiet month,” or concentrate on finding zero‑days then.
  • Others counter:
    • Serious attackers wouldn’t rely on the project’s intake process anyway.
    • Many impactful vulnerabilities are already rare in mature projects like curl.
  • Debate over “responsible disclosure”:
    • One side: still wait (e.g., 90 days is typical), or at least another month.
    • Other side: if there’s an actively exploited bug, public disclosure with a minimal patch may be justified.
    • Several note there are only community norms, not hard rules.

Work–life balance and vacation culture

  • Long subthreads praise strict separation of work and time off, including:
    • Leaving work devices behind or technically blocking access.
    • Managers who explicitly discourage or penalize working on vacation.
  • European posters describe norms of 4+ weeks of vacation, sick‑day protections, and legal/cultural backing for real disconnection.
  • Others share North American contexts where such boundaries are harder early in a career but more possible at senior levels.

Systemic OSS & funding issues

  • Concerns that critical infrastructure depends on a few underfunded individuals with no backup.
  • Some argue users “consume” OSS without paying, yet expect enterprise‑grade SLAs.
  • Discussion of how hype projects (e.g., AI tools) attract far more funding than boring but essential libraries like curl.

Technical side‑notes

  • Brief mentions of AI tools finding curl bugs, Rust rewrites being harder than they sound, and alternative approaches like formal methods or compartmentalization (e.g., sandboxing, Qubes‑style isolation).