- curl’s maintainer says vulnerability reports will not be accepted during July 2026.
- The HackerOne submission form is said to pause on July 1, 2026, and reopen on August 3, 2026.
- GitHub issues and pull requests are said to stay open during the pause, according to the post.
What is being said.
What curl is saying, plain as a screen door in a thunderstorm, is that the project will not accept or otherwise handle vulnerability reports during July 2026. In the maintainer’s post, curl says its HackerOne submission form will pause starting July 1, 2026, and reopen on August 3, 2026.
The same post says curl’s GitHub issue and pull-request trackers will remain open and active like normal, and it says paid support contract customers will still get full and appropriate service during the pause.
What is actually known.
The core claim comes from curl’s own blog post, titled "curl summer of bliss," published on June 15, 2026. That post directly states the pause in vulnerability intake and names the dates for the HackerOne form shutdown and restart.
There is also a Hacker News discussion thread pointing back to the post, which shows public attention to the announcement. That discussion is chatter around the post, not separate proof of the policy.
What remains unverified.
What remains unverified, in the sense that this packet does not include outside reporting, is anything beyond curl’s own announcement and the discussion it sparked. The project says the pause will happen, but this packet does not add independent confirmation from another newsroom or outside source.
The practical reasons behind the pause are not treated here as settled reporting beyond what curl itself chose to publish. So, like a mule tied to the porch rail, the facts we have are fixed to the post, and the rest is just wind in the pines.
Analysis.
Analysis-wise, this looks like a deliberate maintenance break rather than a security retreat. curl appears to be drawing a hard line around one intake channel for one month while leaving the rest of its public machinery running, which is a neat way to keep the shop lights on without taking every knock at the door.
If the schedule holds, the move could help the maintainers breathe, sort the hay from the chaff, and return in August with a cleaner inbox. But that is analysis, not reporting, and it should be read as a possibility rather than a fact about outcomes.
Who is doing the hollering
These links show where the chatter came from. A link is attribution, not our endorsement or independent confirmation.
Last checked Jun 15, 2026, 9:05 AM EDT. Talk Around Town: The announcement appears real and specific, but this packet is based mainly on curl’s own post plus discussion around it. The underlying decision is not independently verified by outside reporting.