Curl maintainer pauses vulnerability reporting for July 2026

Daniel Stenberg, the long‑time maintainer of Curl, posted on June 15, 2026 that the project will not accept any vulnerability reports for the month of July 2026. The pause is presented as a “summer of bliss” to give the maintainer a break and to focus on other project work [Daniel Stenberg's blog].

The suspension applies to all categories of security findings—code execution, denial‑of‑service, information leakage, and stability‑related bugs. Stenberg did not provide an alternative reporting channel, indicating that reports should simply be withheld until the policy lifts on August 1 2026 [Daniel Stenberg's blog].

For engineers who rely on Curl in production, the immediate effect is a forced delay in submitting new findings. Teams will need to postpone remediation plans until after August, potentially extending the window in which undisclosed flaws remain unpatched. The backlog created by a month‑long reporting freeze could increase the workload for security teams when the window reopens.

Curl powers a wide range of software—from web browsers and cloud services to embedded devices—making the temporary halt noteworthy for any organization that embeds the library. The decision underscores the tension between open‑source maintainer well‑being and the continuous security expectations of downstream users.