The Incident
As of July 1, 2026, the curl project officially stopped accepting security reports. This is not a partial suspension or a soft pause. Until August 3, 2026, all channels, including HackerOne and the dedicated security email address, are effectively dark. Daniel Stenberg, the project's lead maintainer, dubbed this period the "curl summer of bliss," emphasizing that the team is stepping away from the keyboard to avoid professional burnout caused by an unsustainable volume of AI-generated noise.
The Economics of Noise
For years, curl maintained a healthy triage process where roughly 15% of reports resulted in confirmed vulnerabilities. By 2025, that figure plummeted to below 5%. Stenberg estimates that, at the peak, nearly 20% of all incoming reports were "AI slop"-fabricated claims citing non-existent functions, imaginary code paths, or vulnerabilities already resolved years prior.
The core issue is a shift in cost asymmetry:
- Generation Cost: With LLMs, identifying and writing a plausible-sounding CVE report now costs near-zero effort.
- Verification Cost: Validating the claim, reviewing the code, and testing the proof of concept still requires the same high-level human expertise as always.
A DDOS on Triage
Stenberg has candidly referred to this flood of automated reports as a denial-of-service attack on the project's triage capacity. A seven-person volunteer team simply cannot compete with an automated stream of reports that require manual verification.
Initially, curl attempted to manage this by:
- Banning accounts submitting clear AI artifacts.
- Terminating their paid HackerOne bounty program on January 31, 2026.
Despite these efforts, the volume continued to climb. The removal of a financial incentive did not curb the spam because many generators operate without a profit motive, potentially chasing reputation or resume padding. The result is a broken triage pipeline where maintainers are forced to spend their limited time reading AI-generated fiction instead of fixing real risks.
The Scalability Problem
This is not a project-specific anomaly. The broader developer community is witnessing identical patterns:
- HackerOne IBB: The Internet Bug Bounty program paused new submissions in March 2026, pivoting to focus on remediation after models proved adept at discovery.
- CVE Growth: Sonatype's 2026 State of the Software Supply Chain report notes that the count of unscored CVEs has grown 37x in five years.
The "summer of bliss" is a structural defense against a new reality. By shutting down intake, curl is establishing a boundary, prioritizing maintainer health over the expectation that open-source projects must provide instant, 24/7 security response for every automated bot that targets them.
If you maintain a popular repository, the data suggests you should prepare for a scenario where your triage queue exceeds your capacity. Relying on an "always on" model is increasingly difficult when the barrier to creating "reports" has been entirely removed by LLMs.
Top comments (0)