The project will close its intake form on HackerOne — the bug bounty and vulnerability disclosure platform it uses — from July 1 to August 3, leaving any flaw a researcher finds during the month with no agreed schedule for telling the project about it.
For more than thirty days starting July 1, the open-source data-transfer library curl will not process a single new vulnerability report. The project's HackerOne intake form goes dark at 00:00 Central European Summer Time, or 15:00 Pacific time on June 30, and stays dark until 09:00 CEST on August 3, according to a post from curl project lead Daniel Stenberg on his personal blog. Any flaw a security researcher discovers during the window has nowhere to go through the project itself.
A vulnerability report is the channel through which a researcher tells a project's maintainers about a defect they have found, so it can be fixed and disclosed on a coordinated schedule. It is the standard mechanism through which most open-source security actually works. Pausing intake does not pause the existence of flaws. It pauses the coordination.
For US-based researchers, the practical effect is a month with no live submission form. The project's security email, security@curl.se, is also a dead end during the window, and is not used for vulnerability reports even outside the pause, Stenberg's post notes. There is no fallback channel announced.
The reason Stenberg gives is straightforward. He is on vacation, the maintainer team wants breathing room, and the existing backlog of reports needs to be cleared. The July pause is meant to free time for working through queued bugs and writing new code, not to change disclosure policy in any lasting way. That framing is on the source blog post, and it is fair framing for a small volunteer project.
It is also a security choice, even when it is a vacation. Curl is the default library for moving data over HTTP, HTTPS, FTP, and a long list of other protocols, and it ships in billions of devices and downstream products. A month-long intake pause means a researcher who finds a critical flaw in late July cannot open a coordinated disclosure case through the project. They can disclose to a CERT, a vendor, or a downstream distributor, but the project itself will not be in the loop until submissions reopen. Any flaw actively exploited during the window has no coordinated disclosure path through curl.
This is what critical infrastructure maintained as a hobby looks like at scale. Paid support contracts with the project continue to be honored, as Stenberg has noted in past posts about curl's commercial layer. Free reports, which is how most independent research reaches the project, are the part being paused. The pause is short. The work is real. The question the pause surfaces is also real: a small-volunteer project shipping in billions of devices has no systemic backstop for the month its maintainer takes off, and there is no obvious second line.
The submissions form reopens on August 3. Until then, the queue grows quietly.