Curl will not accept vulnerability reports during July 2026

In a move that made parts of the internet gasp, laugh, and then reluctantly nod, the team behind curl — the tiny but massively important tool that helps software move data around the internet — announced it is basically closing its inbox to security problems for all of July 2026. The project’s bug-report form shuts on July 1, reopens August 3, and even its security email gets the same summer vacation treatment. Their message? The last few months have been intense, they need air, and yes, they plan to go outside.

The comments instantly turned this into a mini morality play about burnout, boundaries, and whether the internet is allowed to take a nap. One camp was fully supportive, calling it a “pleasant dose of humanity” and a “great decision,” with others simply wishing the maintainers a good rest. The biggest cheer was for the project’s unapologetic tone: when asked what happens if attackers don’t take the month off, curl’s answer was basically, “Probably not. But we will.” That line landed like a mic drop.

But not everyone was fully zen. One commenter joked this was a “fantastic advertisement,” hinting that publicly announcing a no-response month might tempt troublemakers. Another raised the thread’s main anxiety: if a serious flaw pops up in public, paid customers could still pressure the team into fixing it anyway, making the “vacation” feel less blissful than advertised. And yes, the jokes arrived right on cue — including an “Atlas shrugged, but only for a month” crack — because nothing says open-source drama like existential labor discourse with vacation vibes.