[Notifications](/login?return_to=%2Flibexpat%2Flibexpat)You must be signed in to change notification settings -
[Fork 516](/login?return_to=%2Flibexpat%2Flibexpat)
Description #
Hello! 👋
Following a recent announcement of the cURL project, the libexpat project is joining in with a break and will not accept or otherwise handle any new vulnerability reports until 2026-08-01 starting today, take a deep breath, and continue working on
[known unfixed vulnerabilities](https://github.com/libexpat/libexpat/issues/1160)and
[the upcoming release](https://github.com/libexpat/libexpat/issues/1276)at a sustainable pace.
That means:
If you run into vulnerabilities in libexpat and would like to disclose them responsibly, please hold your horses until 2026-08-01 and thenreach out with a report. -
If you are throwing AI or fuzzing or security research at libexpat these days please hit the button and resume on/after 2026-08-01. #
If you would like to fund work on libexpat, please reach out via e-mail. #
If you would like to be notified of the break period ending early, please feel free to subscribe to this issue. Thanks for your understanding! 🙏
Sebastian Pipping, Berlin, 2026-06-15 PS: Comments are intentionally closed, please reach out via the e-mail in my profile, instead.
CC @Smattr @berkayurun @hannob @StanFromIreland @netliomax25-code @alessandrogario