Security
Security is a primary concern for us in the curl project. We take it seriously
and we work hard on providing secure and safe implementations of all protocols
and related code. As soon as we get knowledge about a security related problem
or just a suspected problem, we deal with it and we will attempt to provide a
fix and security notice no later than in the next pending release.
We use a responsible disclosure policy, meaning that we prefer to discuss and
work on security fixes out of the public eye and we alert the vendors on the
openwall.org list a few days before we announce the problem and fix to the
world. This, in an attempt to shorten the time span the bad guys can take
advantage of a problem until a fixed version has been deployed.
Past security problems
During the years we have had our fair share of security related problems. We
work hard on documenting every
problem thoroughly with all details
listed and clearly stated to aid users. Users of curl should be able to figure
out what problems their particular curl versions and use cases are vulnerable
to.
To help with this, we present this waterfall
chart showing how all
vulnerabilities affect which curl versions and we have this complete list of
all known security problems since the birth of this project.