You can follow along with the stream of security reports submitted to #curl by watching the ones we make public:

hackerone.com/curl/hacktivity

Per project policy, we make ALL reports public. (For practical reasons we have so far focused on getting everything submitted during 2025 disclosed. Hackerone has no method to disclose in bulk or automated, so it is a highly manual and tedious process involving a lot of clicks per single report)