Comment by Nextgrid

Yeah I think a reply ignoring the threat and just explaining what Curl is would be the best approach here.

Either the person is just a crank and in that case no harm done, or the person has legitimately been affected by an exploit and at the very least it will inform them of what actually happened and how Curl isn't to blame at all.