new | show | ask | jobs Github

zarzavat 12 hours ago

> > The bad guys won’t rest

> Probably not. But we will.

A pleasant dose of humanity in decidedly inhuman times.

▲

Timshel 12 hours ago | parent | next [-]

Especially since it appears there is a solution if you truly need a fix.

> Or you get a support contract and we get to read about it earlier.

▲

bawolff 11 hours ago | parent | next [-]

> Especially since it appears there is a solution if you truly need a fix.

If you ever really need anything fixed in the open source world, there is always the option of doing it yourself

▲

matthewdgreen 5 hours ago | parent | next [-]

Doing the fix yourself is almost always the easy part. Disclosing it and getting a patch shipped across the entire Internet is the hard part.

▲

layer8 4 hours ago | parent [-]

Why would you personally need the entire internet to receive a fix?

▲

toast0 an hour ago | parent | next [-]

It's handy if you run a service and the internet runs clients you didn't write to access said service. (or vice versa)

Also handy if the internet is running a DDoS reflector and you're being targetted.

Otherwise, usually no sense of urgency for fixes I did for me/my employer and want the rest of the world to benefit. My problem is solved now, everyone else can get it when it ships.

▲

arwineap 3 hours ago | parent | prev [-]

Running a fork is a lot of work. You need your fixes upstreamed so that you don't need to backport other people's fixes

	▲	lokar 3 hours ago \| parent [-]
		For a couple months? Not a big deal

▲

alibarber 10 hours ago | parent | prev [-]

Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.

▲

cat_plus_plus 11 hours ago | parent | prev [-]

In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.

▲

donw 12 hours ago | parent | prev | next [-]

That was just a beautiful, period.

▲

Natsu 12 hours ago | parent | prev [-]

I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.

▲

Cider9986 11 hours ago | parent | next [-]

Mythos found only one. Would have to be pretty serious bad guys.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...

▲

bluGill 3 hours ago | parent [-]

Remember though that many other AIs had already run and found issues that were fixed. If you had a time machine and took Mythos back a year it probably would have found a lot more. (if anyone has access to mythos it wouldn't be hard to test - download a release from last year and check)

	▲	timeinput 2 hours ago \| parent [-]
		Imagine the bugs you'd find in curl from five years ago! I bet there are tons!

▲

prmoustache 10 hours ago | parent | prev | next [-]

The bad guys wouldn't have submitted a vuln report anyway.

	▲	PunchyHamster 8 hours ago \| parent [-]
		Actually, submitting hundreds of bogus/low impact AI generated ones while you sit on something big might be a viable strategy to delay a project from fixing a hole you're using

▲

victorbjorklund 10 hours ago | parent | prev | next [-]

Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.

▲

bvcp 11 hours ago | parent | prev | next [-]

if a company has a problem with this pay for support if its not worth the money …

▲

Cthulhu_ 9 hours ago | parent | prev | next [-]

Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.

▲

shevy-java 10 hours ago | parent | prev [-]

Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.

In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.

I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.

The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)