curl is installed on roughly 30 billion devices. It's arguably the most scrutinised, most-fuzzed networking library on the planet. And right now, its creator is burning out.
Not because curl is suddenly full of holes. Because AI-powered security research has reached a quality and volume that human maintainers weren't built to absorb.
Daniel Stenberg, curl's founder and lead developer, published a raw, honest post this week:
The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 — meaning that on average we now get more than one report per day. The quality is way higher than ever before. The reports are typically very detailed and long.
This isn't the slop era anymore. In 2024, Stenberg was writing about stupid LLM hallucinations flooding bug trackers. In early 2025, it was "death by a thousand slops." Now in 2026, the tooling has matured — and so has the pressure.
What actually changed
- Reports are arriving at 4-5× the 2024 rate, 2× the 2025 rate — over one per day
- They're no longer hallucinations — reports are credible, detailed, and require full triage
- The upcoming release already has 12 confirmed vulnerabilities — a project record
- curl is on track to publish 30+ CVEs in 2026 before the year is half over
- Stenberg is spending almost all his working hours on HackerOne triage, patching, and advisory writing
- For the first time, his wife has raised concerns about his work/life balance
The bottleneck isn't the bugs
Here's the thing: technically, curl is holding up. Every vulnerability found in the last few years has been rated LOW or MEDIUM severity. The last HIGH severity CVE was October 2023. Thirty years of relentless engineering means the catastrophic holes are genuinely rare.
But that's almost beside the point. The constraint isn't bug quality — it's human bandwidth.
AI security tooling can now do systematic, deep code analysis at scale. That's a net positive for software quality. But there's no corresponding scaling on the other side: the small team of maintainers who verify each report, write patches, coordinate disclosure timelines, and ship fixes.
Stenberg is direct about the math: "There's a tsunami coming over us and all we can do is swim, there are no life boats for us."
Why this goes beyond curl
If the best-maintained piece of critical infrastructure on the internet is struggling, the rest of the open source ecosystem should be paying close attention.
This is the open source sustainability crisis getting an AI-shaped edge. The industry consumes billions of dollars of free infrastructure, and maintainers absorb the cost — now including the cost of being the last human checkpoint in an AI-powered security research pipeline.
Curl at least has some paying customers. Most projects don't.
What to do
- If your company depends on curl or libcurl (you do): fund it. Stenberg is explicitly asking for support contracts — that pays developer time. His post has the details.
- If you ship AI security tooling: think about downstream load. Rate limiting, deduplication, and severity filtering before HackerOne submission would make a real difference.
- If you maintain open source: this pattern is coming for every significant project as AI-assisted research matures. Worth thinking about now, not when you're already drowning.
Sources: The pressure — Daniel Stenberg · Simon Willison's linkblog
✏️ Drafted with KewBot (AI), edited and approved by Drew.
Top comments (0)