daniel:// stenberg://Mar 12

CVE-2026-3784 beat a new #curl record. This flaw existed in curl source code for 24.97 years before it was discovered.

Illustrated in the slightly hard-to-read graph below. The average age of a curl vulnerability when reported is eight years.

https://curl.se/docs/CVE-2026-3784.html

Show threadltningMar 12
@bagder What happened around 2017-19? Sharp drop in age (and number?) of "high" vulnerabilities? Have they all been found? Has code quality increased? Bug bounties?

I second @bsdphk - this is remarkable and very useful data. Thank you!
Show threaddaniel:// stenberg://Mar 12
@ltning @bsdphk better tooling, fuzzing and CI taking off maybe?
Show threadPoul-Henning KampMar 13

@bagder @ltning

I will argue that we have done all of that in Vinyl Cache (The FOSS project formerly known as Varnish Cache), and we still end up with CVEs.

But obviously, those tools are a major reason we have so few CVEs.

Show threaddaniel:// stenberg://
@bsdphk @ltning well sure, we run all those tools and many more in curl as well, and we still get CVEs. Traditional tools have had the limitation that they have required the code to compile or run to be able to find problems and sometimes build targets and build options combined have made it hard.
Mar 13 at 9:03amWeb