Do Son 
A Month-Long Pause on Vulnerability Reports
Daniel Stenberg, the lead maintainer of the widely used curl project, has announced that the team will stop accepting vulnerability reports for the entire month of July 2026. He has named this initiative the curl summer of bliss.
This is not a response to any security incident. Instead, it reflects a deliberate choice to rest after months of heavy workload. Stenberg encourages other open source projects to consider a similar break.
Key Dates for the Pause
The schedule for the summer of bliss is clearly defined. Reports submitted outside this window will follow the usual process.
- Start: July 1, 2026, at 00:00 CEST
- End: August 3, 2026, at 09:00 CEST
- Action: No vulnerability reports will be accepted through HackerOne or email during this period
- Standing policy: curl has never accepted vulnerability reports by email, and this will not change after the pause ends
- Release delay: Version 8.22.0 will now ship on September 2, 2026, two weeks later than originally planned
- GitHub: Issue tracking and pull requests on GitHub will remain open as usual
Emergencies Still Need a Contract
Even urgent security issues will wait until August unless a company holds a paid support contract. Customers with such contracts can still reach the team early and receive full service throughout the pause.
So what happens if attackers do not take the same break? The maintainers have considered this risk already. Even so, they plan to prioritize rest over handling unpaid emergency reports during July.
Other Projects Are Welcome to Join
Stenberg has invited other open source maintainers to take their own break this summer. He frames the pause as an act of self-care rather than a sign of trouble within the project.
For more details on the announcement, read the original curl summer of bliss blog post from Daniel Stenberg.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
