The Pressure
TL;DR · AI Summary
Daniel Stenberg describes the unprecedented level of pressure the `curl` team is facing due to an increase in credible AI-assisted security issue reports.
Key Takeaways
- The rate of incoming security reports has increased by 4-5 times compared to 202
- For the first time in his life, Daniel's wife expressed concerns about his work
- Despite low to medium severity vulnerabilities, the team feels responsible and p
Outline
Jump quickly between sections.
Daniel Stenberg discusses the unprecedented pressure faced by the `curl` team.
The rate of incoming security reports has increased by 4-5 times compared to 2024 and doubled compared to 2025, with an average of over one report per day.
For the first time in his life, Daniel's wife expressed concerns about his work hours and work-life balance.
Despite low to medium severity vulnerabilities, the team feels responsible and proud of their work.
Mindmap
See how the topics connect at a glance.
查看大纲文本(无障碍 / 无 JS 友好)
- The Pressure
- Security Reports
- Rate Increase
- Quality Improvement
- Team Stress
- Work-Life Balance Concerns
- Increased Workload
- Vulnerability Severity
- Low/Medium Severity
- Rare High Severity
Highlights
Key sentences worth saving and sharing.
The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 -- meaning that on average we now get more than one report per day.
For the first time in my life, my wife voiced concerns about my work hours and my imbalanced work/life situation.
What is also a good trend: almost no one finds terrible vulnerabilities. All vulnerabilities found the last few years in curl have all been deemed severity LOW or MEDIUM.
26th May 2026 - Link Blog
[The pressure](https://daniel.haxx.se/blog/2026/05/26/the-pressure/) ([via](https://lobste.rs/s/dw02ye/pressure "Lobste.rs")) Daniel Stenberg on the unprecedented level of pressure the curl team are facing right now thanks to the deluge of (credible) AI-assisted security issues being reported.
The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 -- meaning that on average we now get more than one report per day. The quality is way higher than ever before. The reports are typically _very_ detailed and long. [...]
For the first time in my life, my wife voiced concerns about my work hours and my imbalanced work/life situation. I work more than I’ve done before, but the flood keeps coming. [...]
This is a never-before seen or experienced pressure on the curl project and its security team members. An avalanche of high priority work that trumps all other things in the project that is primarily mental because we certainly _could_ ignore them all if we wanted, but we feel a responsibility, we have a conscience and we are proud about our work.
The good news is that curl is a very solid piece of software, so the vulnerabilities people are finding tend not to be of high severity:
What is also a good trend: almost no one finds _terrible_ vulnerabilities. All vulnerabilities found the last few years in curl have _all_ been deemed severity LOW or MEDIUM. I'm not saying there won't be any more HIGH ever, but at least they are rare. The most recent severity high curl CVE was published in October 2023.