Average number of hours between #curl security reports

Material for a pending presentation

@bagder Please correlate with number of security related bugs introduced into codebase per time slice.

Share of reports that identified bugs (not vulns)

Share of reports that identified bugs (not vulns)

@bagder interesting. Any idea what causes the increased share of reports that identified bugs?

Confirmed vulnerability rate in reports, year to year so far.

@stitzl With this: https://curl.se/dashboard1.html#vulnerabilities-in-releases ?

/cc @bagder

To sum up:

Much higher submission rate. Much higher quality reports. More bugs and more vulnerabilities identified.

also of course: the forecast for 2026 says that we will report a lot of #curl CVEs this year...

@bagder@mastodon.social at least 365?

also of course: the forecast for 2026 says that we will report a lot of #curl CVEs this year...

Oh, and... AI slop rate in submissions has gone back to 2024 levels

Confirmed vulnerability rate in reports, year to year so far.

@bagder Vulnerability of what/where/who exactly?

Oh, and... AI slop rate in submissions has gone back to 2024 levels

@bagder do you think it’s because you removed the bug bounty program or because the tools are getting better?