Comment by zarzavat
15 hours ago
> > The bad guys won’t rest
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
15 hours ago
> > The bad guys won’t rest
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
Especially since it appears there is a solution if you truly need a fix.
> Or you get a support contract and we get to read about it earlier.
> Especially since it appears there is a solution if you truly need a fix.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
Doing the fix yourself is almost always the easy part. Disclosing it and getting a patch shipped across the entire Internet is the hard part.
6 replies →
Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.
In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.
That was just a beautiful, period.
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
Mythos found only one. Would have to be pretty serious bad guys.
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
Remember though that many other AIs had already run and found issues that were fixed. If you had a time machine and took Mythos back a year it probably would have found a lot more. (if anyone has access to mythos it wouldn't be hard to test - download a release from last year and check)
1 reply →
The bad guys wouldn't have submitted a vuln report anyway.
Actually, submitting hundreds of bogus/low impact AI generated ones while you sit on something big might be a viable strategy to delay a project from fixing a hole you're using
Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.
if a company has a problem with this pay for support if its not worth the money …
Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.
Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.
In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.
The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)