www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12-openssl-zero-days-wh...
2 corrections found
In the curl 8.18.0 released January 8, 2026, we were in fact responsible for 3 of the 6 CVEs disclosed and fixed.
curl 8.18.0 was released on January 7, 2026—not January 8, 2026.
Full reasoning
The post states that curl 8.18.0 was released on January 8, 2026. However, curl’s official release/version list shows “8.18.0: January 7, 2026.” This is an official project document that records the release dates of curl versions.
Because the claim is a precise date statement and the official curl documentation gives a different date, the claim is incorrect.
1 source
- curl - Versions (official curl documentation)
Past releases ... 8.18.0: January 7, 2026
The program that had run since 2019 and paid out over $90,000 for 81 genuine vulnerabilities was essentially killed by the flood of low-quality AI submissions.
As of the program’s end announcement, curl’s bug-bounty had 87 confirmed vulnerabilities and paid over $100,000—so “81” is not the correct total.
Full reasoning
In the context of describing the curl bug-bounty being ended, the post gives the program totals as 81 vulnerabilities and over $90,000 paid.
Daniel Stenberg’s announcement post about ending the curl bug-bounty (dated January 26, 2026) states that the program resulted in “87 confirmed vulnerabilities and over 100,000 USD paid as rewards to researchers.” That directly contradicts the post’s “81” figure as the program’s total at shutdown time.
(While “over $90,000” is still technically true if the real amount is over $100,000, the specific total count “81” conflicts with the maintainer’s stated total “87.”)
1 source
- The end of the curl bug-bounty | daniel.haxx.se (Daniel Stenberg)
...We have certainly made curl better as a direct result of this: 87 confirmed vulnerabilities and over 100,000 USD paid as rewards to researchers.