Egregoros

My week: https://lists.haxx.se/pipermail/daniel/2026-June/000157.html

security, curl up, feature freeze, talk pause

30 minutes until me time at #bsidesvilnius

not even half-way through this #curl release cycle we are already at 11 confirmed vulnerabilities - and there are three left in the queue to assess and new reports keep arriving at a pace of more than one/day

11 CVEs announced in a single release is our record from 2016 after the first-ever security audit (by Cure 53).

@kuba in general they've been around for a very long time:

Welcome penpal as #curl commit author 1476: https://github.com/curl/curl/pull/21642

Thanks Dave for the advice.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/comment-page-1/#comment-27479

Day off. National holiday. Fourteen security reports have arrived in the last fourteen hours... 😱

ENHANCE_YOUR_CALM

#Mythos finds a #curl vulnerability

yes, as in singular one.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Meanwhile on LinkedIn... #curl

https://iotsec.in/t/i-found-a-real-cve-in-curl-but-someone-beat-me-to-it-a-security-research-journey/67/1

I spoke about the Open Source AI Reality at #fossnorth this morning. Awesome crowd. Excellent questions. (video pending)

Now going back home to do a #curl release tomorrow.

"Pre-built GitHub profiles with five-year commit histories and Arctic Code Vault Contributor badges sell for approximately $5,000 on Telegram."

https://awesomeagents.ai/news/github-fake-stars-investigation/

@kaia only volunteers would submit themselves to this to begin with, and we are all volunteers on this

Also, none of this is slop anymore.

The AI slop security reporting is basically extinct. It almost does not happen anymore. At all.

I spent my whole work day yesterday on h1 issues. Nothing else.

Woke up to two new reports this morning.

Taking deep breaths and refilling my cup. Here we go again.

"I am submitting this via direct email as I am currently unable to use the HackerOne platform due to account restrictions for new reporters."

In case someone was wondering what happens when we try to make it harder for new accounts to submit new reports.

Everyone is busy trying to report security issues. Not so much regular bugs. #curl has one open bug on GitHub right now.

https://github.com/curl/curl/issues

This morning we got one of our pending #curl security flaws reported a **4th** time.

Everyone is using (the same) AI tools now.

my latest absolutely correct: https://hackerone.com/reports/3669305

You are absolutely correct.