upvote

points

by zarzavat5 hours ago |
comments
upvoteby Timshel5 hours ago|
next
[-]
Especially since it appears there is a solution if you truly need a fix.

> Or you get a support contract and we get to read about it earlier.

reply
upvoteby bawolff4 hours ago|
parent|
next
[-]
> Especially since it appears there is a solution if you truly need a fix.

If you ever really need anything fixed in the open source world, there is always the option of doing it yourself

reply
upvoteby alibarber3 hours ago|
parent|
[-]
Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.
reply
upvoteby cat_plus_plus4 hours ago|
parent|
prev|
[-]
In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.
reply
upvoteby donw5 hours ago|
prev|
next
[-]
That was just a beautiful, period.
reply
upvoteby Natsu5 hours ago|
prev|
[-]
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
reply
upvoteby Cider99864 hours ago|
parent|
next
[-]
Mythos found only one. Would have to be pretty serious bad guys.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...

reply
upvoteby prmoustache3 hours ago|
parent|
prev|
next
[-]
The bad guys wouldn't have submitted a vuln report anyway.
reply
upvoteby PunchyHamster1 hours ago|
parent|
[-]
Actually, submitting hundreds of bogus/low impact AI generated ones while you sit on something big might be a viable strategy to delay a project from fixing a hole you're using
reply
upvoteby victorbjorklund3 hours ago|
parent|
prev|
next
[-]
Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.
reply
upvoteby bvcp4 hours ago|
parent|
prev|
next
[-]
if a company has a problem with this pay for support if its not worth the money …
reply
upvoteby Cthulhu_2 hours ago|
parent|
prev|
next
[-]
Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.
reply
upvoteby shevy-java3 hours ago|
parent|
prev|
[-]
Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.

In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.

I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.

The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)

reply