In the end we decided on *not* a #curl security issue, but it's not an easy one to make:
curl disclosed on HackerOne: OpenSSL backend: X509 peer certificate...
## Summary: In curl’s OpenSSL backend, `ossl_get_channel_binding` retains a new reference to the server’s X509 certificate via `SSL_get1_peer_certificate` and never releases it. When Negotiate...HackerOne
Iain Collins
in reply to daniel:// stenberg:// • • •Appreciate your transparency with the process and outcome here.
It's really helpful to be able to reference how maintainers of well known / well respected projects have handled issues like this where it's not always clear cut.