Curl Security Moves Again

7 hours ago

curl is returning to Hackerone for security vulnerability reports starting March 1st, 2026, after a failed attempt to use GitHub.
The curl security team realized GitHub's setup lacked essential features for proper vulnerability reporting, such as private team comments, customizable CVE fields, and proper disclosure of invalid reports.
Key requirements for a security reporting system include private submissions, public disclosure, discussion capabilities, and the ability to ban abusive users.
GitHub's limitations include insecure email notifications, inability to edit CVE numbers, lack of labels, and no private team comments.
Handling reports via email is challenging due to difficulty in tracking open issues and disclosing invalid reports.
Other platforms like GitLab and Codeberg lack the necessary security reporting features, making them unsuitable for curl's needs.

Hasty Briefsbeta