A Month Without Vulnerability Reports
On June 15, 2026, curl maintainer Daniel Stenberg announced that the curl project will not accept any vulnerability reports during the entire month of July 2026. The HackerOne submission form will be paused from July 1 through August 3. No CVE assignments, no security advisories, no triage, no review. The most widely deployed HTTP client library in the world — used in virtually every operating system, every container image, every CI/CD pipeline — will have a closed door for security reports for 34 days.
The announcement hit 466 points on Hacker News, resonating with a development community drowning in the same problem. The reason is not burnout from real vulnerabilities. It is burnout from AI-generated slop — fabricated vulnerability reports produced by AI tools that sound authoritative, reference real code paths, cite plausible attack vectors, and are entirely fictional. Each one requires the same triage effort as a real report. The signal-to-noise ratio has collapsed.
How AI Slop Killed Bug Bounties
The timeline tells the story. Bug bounty platforms like HackerOne incentivize vulnerability discovery with financial rewards. AI tools — ChatGPT, Claude, Gemini, and specialized 'AI pentest' tools — can generate plausible-looking vulnerability reports in seconds. Aspiring bounty hunters use AI to mass-produce reports, submit them across hundreds of projects, and hope that some percentage result in payouts. The AI reports are grammatically polished, technically detailed, and frequently wrong.
For a project like curl, which has a small maintainer team (essentially Stenberg and a handful of contributors), each report requires reading, understanding, attempting to reproduce, and writing a response. A fabricated report about a buffer overflow in a function that handles edge cases in HTTP/2 header parsing requires the same investigation effort as a real one — until the maintainer discovers it describes behavior that does not exist. Multiply this by dozens of AI-generated reports per week, and the maintainer's time is consumed by fiction.
The Meta-Pattern: AI Degrading Security Infrastructure
curl is not alone. The pattern is appearing across open source security infrastructure. Maintainers of Linux kernel subsystems, OpenSSL, and Python's standard library have reported similar floods. The OWASP prompt injection report (340% surge in 2026) documents the offensive side. The curl story documents the defensive side: the infrastructure that exists to find and fix vulnerabilities is being overwhelmed by AI-generated noise that mimics the shape of vulnerability reports without containing actual vulnerabilities.
This is a second-order effect of AI capability that the AI safety conversation has largely ignored. The threat is not that AI finds real vulnerabilities (that would be valuable). The threat is that AI generates convincing-looking fake vulnerability reports at a volume that makes the real ones impossible to find. The security researchers who would be triaging real curl vulnerabilities in July 2026 will not be doing that work. Any real vulnerability discovered during that window will wait 34 days for review.
What This Means for the Web
curl is a dependency of virtually every web framework. WordPress uses it. Next.js's server-side fetching uses it. FastAPI's httpx uses it. Django's requests library uses it. A vulnerability in curl affects every web application in existence. The project's decision to close vulnerability intake for a month means that any curl vulnerability discovered in July 2026 will remain unpatched and unacknowledged for at least 34 days — in the HTTP library that underpins the internet.
The broader implication is that open source security depends on human attention, and human attention is a finite resource being consumed by AI-generated noise. The frameworks that minimize their dependency surface — static site generators with zero runtime HTTP dependencies, compiled languages with vendored libraries — are structurally less exposed to this risk. The frameworks that maximize their dependency surface — WordPress with 78,000 plugins, each with their own dependency trees — are structurally more exposed. The security of the web is only as strong as the humans who have time to review the reports.


