Curl Project Suspends Vulnerability Reports for July 2026

The curl project, led by Daniel Stenberg, announced it will pause all vulnerability report submissions for the entire month of July 2026. This marks an unusual step for one of the internet's most critical open-source tools, which processes trillions of requests daily.

The decision stems from a desire to give maintainers a planned respite from the constant pressure of security disclosures. Curl's team has historically operated under a steady stream of vulnerability reports, and this hiatus aims to prevent burnout and sustain long-term project health.

During July 2026, security researchers are asked to withhold any findings until August. Reports submitted before the cutoff will be handled as usual, but none will be accepted or triaged during the break period. Curl's source code and other operations will continue normally.

This pause could create a window of uncertainty for organizations relying on curl, though the project emphasizes that no known critical vulnerabilities are being ignored. Users are encouraged to stay on the latest stable release before the embargo begins.

Some security experts question whether such a moratorium could be exploited by malicious actors, though the limited timeframe and advance notice mitigate that risk.