[Daniel's week] February 12, 2026

Daniel Stenberg daniel at haxx.se
Thu Feb 12 17:10:37 CET 2026 

Hey,

Yes it is almost Friday. As I'm going away on a little vacation for a week 
starting tomorrow you get my weekly summary today instead. Enjoy!

## security

I am not sure we can tell anything reliably yet about the security report
submission frequency since we closed down the bug-bounty on February 1, but it
has gone down. I suppose we just need to wait and see if it is just a
temporary low because of us switching off Hackerone and going with GitHub. We
have already seen AI slop submitted in the new inbox as well, so it is not
completely gone.

In our quest to address the stream of low quality reports and switching away
from Hackerone as a platform for those, I think we a little naively expected
the system Github has for this to be better than it is. A lack of proper
testing and vetting ahead of time that we now get to instead check out in
production.

Disappointed with the newly switched-to solution, I have made sure to pass on
our wishlist [3] to the appropriate people at GitHub but because some of our
complaints concern some rather fundamental details I have no illusions that
they can or will address them within a time frame that can make us wait. We
will move the curl security reporting again, but before we do, we want to
weigh our options properly. I will of course let you know where we go when it
happens.

Meanwhile, we received a security report on GitHub that we confirmed and we
now have a pending CVE to announce in sync with the next release. One of those
mistakes that have been around in the source code for over two decades.

We are also engaged in our first "CVE dispute" since we became CNA. A reporter
who for some reason insists that an issue we dismissed and did not agree to
create a CVE for, wants a CVE to be made for an issue we fixed in the latest
curl release. They do this by "appealing" our decision to Mitre. I still think
we did right and I insist. I'll let the process play out before I discuss the
details in public. Based on past experiences with this organization I don't
have much belief that competence and logic necessarily will win.

We have two past claimed CVEs for curl that we can get rid of because... yeah,
a broken system if you ask me. We list them separately at the bottom of our
security page [4]. Those two were however claimed before we become CNA.

## media

The whole AI slop and stopping the bug-bounty stories triggered a lot of media
attention that still has not calmed down, and I have continued to do
interviews with media about it this week.

## podcast

I guested the Redmonk podcast [1] this week and talked AI slop, bug-bounty and
a lot of more curl details.

## 500 subscribers

This is the first edition of my weekly email that is sent to over 500
subscribers.

## curl up

We have set the date for the annual curl developers and users "conference";
curl up 2026 [5]. It is going to happen over the weekend May 16-17 in a
European capital. We are now in the process of deciding exactly which capital
to arrange this in, and I hope we can have a city set and announced by the end
of February or so. But you can already now mark your calendars!

## rc1

We made a first release candidate available [2] for the pending curl 8.19.0.
If you have a few minutes over, please take it for a spin and verify that it
still runs your use case the way it is supposed to. Release candiates and
people testing them is a great way for us to find and fix problems before they
end up real regressions in the actual release.

This release cycle is extended by one week, which gives us one week extra
after the feature window to fix bugs.

## EOSAwards

The full video from the European Open Source Awards 2026 at January 29th was
published on YouTube [6].

## vacation

This edition of my weekly email is sent on a Thursday simply because early
momorrow morning I take off on a one week vacation and the plan is to mostly
avoid doing curl things while gone. Subsequently, I will not send any weekly
email next week.

## curling

As Sweden has won at least one olympic gold medal in curling in 2026, it seems
only apppropriate to enjoy Harry Sintonen's toy a little extra:

     curl -L sintonen.fi/curling

## Coming up

- one week of vacation
- then rc2 after that

## Links

[1] = https://redmonk.com/videos/daniel-stenberg-ai-onslop/
[2] = https://curl.se/rc/
[3] = https://gist.github.com/bagder/ed3268e8745452a53a999d23b7fa1273
[4] = https://curl.se/docs/security.html#bogus-security-vulnerabilities
[5] = https://github.com/curl/curl-up/wiki/2026
[6] = https://youtu.be/KXS5KQjWjns?si=bN35SofySbhbtys_&t=150

-- 

  / daniel.haxx.se

More information about the daniel mailing list