Curl will not accept vulnerability reports during July 2026

Article excerpt

Daniel Haxx, maintainer of the widely used curl software library, announced that curl will stop accepting vulnerability reports during July 2026, a month-long window when he plans to take time off. The decision sparked debate on Hacker News about open-source sustainability and security practices. While Haxx frames it as necessary rest for a solo maintainer managing a critical project used by millions, critics worry about the security implications of leaving vulnerabilities unreported during that period. The announcement highlights the tension between developer burnout and the expectations placed on maintainers of foundational infrastructure.