[Daniel's week] April 11, 2026

Daniel Stenberg daniel at haxx.se
Sat Apr 11 17:43:03 CEST 2026 

# April 11, 2026

Another intense week ends.

## Security

We received seven new security reports this week, out of which one was 
eventually confirmed to be accurate and is now queued for publication in sync 
with the pending curl release on April 29. This makes the third entry in this 
queue.

While the quality of the incoming reports remain high even though most of them 
are made with help from AI, they tend to still report issues we conclude are 
“just bugs” and in several recent cases: unclear documentation.

The rate of curl security reports so far in 2026 seems to be a little over 
double the frequency of 2025 and given the trend and even more AI powered 
tools I predict that the pace might go up even more going forward.

According to my totally unscientific poll on Mastodon I got clear confirmation 
from more than twenty Open Source projects in various contexts who all confirm 
this trend: a larger volume of decently highly quality security reports. 
Getting quality is of course good, but the overload risk and situation is 
still real and a challenge. Very few security reporters ever actually 
contribute a fix or help working on correcting the problem they report.

This trend seems to also have contributed to the Internet Bug Bounty pausing 
their payouts [1]. Clearly we were just slightly ahead of them in taking this 
decision.

All of this gives me material for my upcoming talk at the Foss-north 
conference in Gothenburg on April 28, which I will try to make as a follow-up 
to my FOSDEM talk, as things have changed quite a bit since.

## Graphs

Working on two new graphs to the collection that compares C mistake 
vulnerabilities vs not C mistake ones [2] (and [3]). C mistakes are those that 
are caused by what could have been avoided had we not been writing curl in C - 
determined entirely by human review of the actual flaw on a case by case 
basis.

## Space

I think it is confirmed that they use Windows 10/11 computers onboard the 
Artemis spacecraft, and then I think we can safely conclude that curl is on 
there.

## Media

I did several interviews again this week, with both Swedish and US based 
journalists. Primarily on topics related to AI and (Open Source) security. 
Results show on The Register [5], NPR [6] and in Swedish on 
Elektroniktidningen [7].

## RFC 9421

Also known as HTTP Message Signatures, is a feature that basically signs a set 
of headers and contents in the HTTP request so that the receiver knows they 
arrive unaltered in the other end. A pull request was submitted this week [7] 
for curl to offer this feature. It looks like a great start and it is a 
feature I agree fits curl.

## Coming up

- Monday: curl 8.20.0-rc2 ships

- Thursday: curl roadmap 2026 webinar. I’ll bring up some ideas of what we 
could do this year. Open for your suggestions!

## Links

[1] = https://www.infoworld.com/article/4154210/internet-bug-bounty-program-hits-pause-on-payouts.html
[2] = https://curl.se/dashboard1.html#vulnerability-C-mistakes
[3] = https://curl.se/dashboard1.html#vulnerability-C-mistakes-introduced
[4] = https://www.theregister.com/2026/04/10/project_glasswing/
[5] = https://www.npr.org/2026/04/11/nx-s1-5778508/anthropic-project-glasswing-ai-cybersecurity-mythos-preview
[6] = https://etn.se/index.php/nyheter/73061-svenska-projektet-far-anvanda-fobjudna-llm-en.html
[7] = https://github.com/curl/curl/pull/21239


-- 

  / daniel.haxx.se

More information about the daniel mailing list