source: simon willison: the pressure
level: technical
the curl project is experiencing an unprecedented volume of security reports, with rates four to five times higher than in 2024 and double those of 2025. the team now receives more than one report per day on average. these reports are notably detailed and long, driven by ai-assisted tools that produce credible findings. the quality is higher than ever before, but the sheer quantity is creating a relentless workload.
daniel stenberg, lead developer of curl, described the situation as a never-before-seen pressure on the project and its security team. the constant influx of high-priority work has led to personal strain, with stenberg noting his wife expressed concerns about his work hours and work-life balance for the first time. he works more than ever, yet the flood of reports continues, forcing the team to prioritize security over other project tasks due to a sense of responsibility and pride in their work.
despite the surge, the vulnerabilities found are mostly low or medium severity, with the last high-severity curl cve published in october 2023. this suggests curl is a solid piece of software, but the volume of reports still demands significant attention. the trend highlights how ai is changing security research, enabling more people to find and report issues, but also overwhelming maintainers of critical open-source projects.
why it matters: ai-assisted security research is increasing the burden on open-source maintainers, requiring new approaches to handle the volume without burning out teams.
source: simon willison: the pressure