Average number of hours between #curl security reports

icing@chaos.social

@stitzl With this: https://curl.se/dashboard1.html#vulnerabilities-in-releases ?

/cc @bagder

felix_eckhardt@det.social

@bagder interesting. Any idea what causes the increased share of reports that identified bugs?

bagder@mastodon.social

Confirmed vulnerability rate in reports, year to year so far.

bagder@mastodon.social

@felix_eckhardt improved tooling. AI.

bagder@mastodon.social

To sum up:

Much higher submission rate. Much higher quality reports. More bugs and more vulnerabilities identified.

stitzl@mastodon.social

@icing Yes, close enough. Awesome! ️ @bagder

bagder@mastodon.social

also of course: the forecast for 2026 says that we will report a lot of #curl CVEs this year...

kura@hai.z0ne.social

@bagder@mastodon.social at least 365?

kura@hai.z0ne.social

@bagder@mastodon.social oh wait, just one fifth of that

bagder@mastodon.social

Oh, and... AI slop rate in submissions has gone back to 2024 levels

by_caballero@mastodon.social

@bagder yaaaaaaay nature is healing

eliskunk@queer.group

@bagder Vulnerability of what/where/who exactly?

bagder@mastodon.social

@eliskunk in curl

lukstru@toot.kif.rocks

@bagder do you think it’s because you removed the bug bounty program or because the tools are getting better?

bagder@mastodon.social

@lukstru since this trend is seen across many projects, we can be fairly sure that nothing we did specifically drives this change