Daniel Stenberg shows how AI reports are straining curl’s human core
curl’s security queue is filling faster than a small team can process it.📷 AI-generated image / TECH&SPACE
- ★curl is receiving more than one security report per day, 4 to 5 times the 2024 rate.
- ★AI-assisted reports are now detailed enough to create a serious verification burden.
- ★Stenberg describes pressure that is already affecting work hours and personal balance.
curl is one of those projects most users never see, but the internet constantly uses. That is why the warning around it matters beyond a single mailing list. In a note highlighted by Simon Willison, Daniel Stenberg describes an unprecedented volume of security reports reaching the curl team, with much of the surge assisted by AI tools.
The number is blunt: the incoming report rate is now 4 to 5 times higher than in 2024 and twice the speed of 2025. In practice, that means more than one report per day. This would be less alarming if the flood were mostly noise, duplicates, or obviously automated mistakes. Stenberg points to the harder problem: the quality is much higher than before, and the reports are often long, detailed, and credible enough to require serious analysis.
That marks a real shift in open-source security work. AI tools can help researchers write better reports faster, connect clues, and frame a suspected vulnerability more convincingly. But each report still has to be read, reproduced, checked, contextualized, and acted on by a human maintainer. In a project like curl, where security documentation is public and real defects can matter widely, responsible handling is not the same as quickly closing a ticket.
Daniel Stenberg describes a wave of credible AI-assisted reports that has pushed the open-source project past one security report per day.
AI-assisted reports still require human verification, reproduction and judgment.📷 AI-generated image / TECH&SPACE
The most important detail in Stenberg’s account is not technical but organizational. He says that, for the first time, his wife voiced concern about his work hours and his work-life imbalance. That is the concrete cost of this new model of security productivity: AI can increase the number of plausible reports, but it does not automatically increase the number of experienced maintainers able to process them responsibly.
This exposes a familiar weakness in the software industry’s dependence on open source. curl is a foundational tool, embedded in countless systems, distributions, and development workflows. Its code sits close to everyday network communication, yet the security pressure still lands on a relatively small group of people. When Stenberg describes an avalanche of high-priority work that pushes aside everything else in the project, that is not rhetoric; it is an operational description of maintaining critical infrastructure.
AI therefore raises more than the question of how many vulnerabilities can be found. It also asks who pays the verification cost. If credible reports keep arriving faster than maintainers can resolve them, open-source projects may need to rethink triage rules, expectations for reporters, and funding for security labor. For curl, whose creator and lead maintainer is Daniel Stenberg, that pressure is already unprecedented. For the wider software industry, it is an early picture of a problem likely to spread.
