curl is installed on roughly 30 billion devices. It's arguably the most scrutinised, most-fuzzed networking library on the planet. And right now, its creator is burning out.
Not because curl is suddenly full of holes. Because AI-powered security research has reached a quality and volume that human maintainers weren't built to absorb.
Daniel Stenberg, curl's founder and lead developer, published a raw, honest post this week:
The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 — meaning that on average we now get more than one report per day. The quality is way higher than ever before. The reports are typically very detailed and long.
This isn't the slop era anymore. In 2024, Stenberg was writing about stupid LLM hallucinations flooding bug trackers. In early 2025, it was "death by a thousand slops." Now in 2026, the tooling has matured — and so has the pressure.
Here's the thing: technically, curl is holding up. Every vulnerability found in the last few years has been rated LOW or MEDIUM severity. The last HIGH severity CVE was October 2023. Thirty years of relentless engineering means the catastrophic holes are genuinely rare.
But that's almost beside the point. The constraint isn't bug quality — it's human bandwidth.
AI security tooling can now do systematic, deep code analysis at scale. That's a net positive for software quality. But there's no corresponding scaling on the other side: the small team of maintainers who verify each report, write patches, coordinate disclosure timelines, and ship fixes.
Stenberg is direct about the math: "There's a tsunami coming over us and all we can do is swim, there are no life boats for us."
If the best-maintained piece of critical infrastructure on the internet is struggling, the rest of the open source ecosystem should be paying close attention. This is the open source sustainability crisis getting an AI-shaped edge. The industry consumes billions of dollars of free infrastructure, and maintainers absorb the cost — now including the cost of being the last human checkpoint in an AI-powered security research pipeline.
Curl at least has some paying customers. Most projects don't.
Sources: The pressure — Daniel Stenberg · Simon Willison's linkblog ✏️ Drafted with KewBot (AI), edited and approved by Drew.