Paraphrasing: "The world's top security researches and AI labs are pouring all their VC money into finding as many security issues in curl as possible". At the same time, we know that curl is run by volunteers that needs to handle all of this. I'm not saying that we shouldn't do security review of open source libraries, just saying that this situation puts a lot of pressure on the maintainers.
The second unnerving thing is that many of the listed vulnerabilites target embedded libcurl; a library with a much slower update cycle. I'm guessing that many of the listed bugs are still in active use, inside the thousands of applications that use curl internally. Another tricky situation.
Both of these stand in contrast to the posts "braggy" style of "we found the most vulnerabilities of all!!!".
This is true, and worth saying, but it is also a problem of the OSS philosophy. All software is used at your own risk, so if maintainers want their software used they need to keep up, and the (true) promise of "more eyeballs means more secure software" has this downside built in.
Based on the eye candy I imagine the team consists of a bunch of VC bros on their macbooks drinking chai lattes. Not sure if that is the impression you want to portray to a technical audience.
The eye candy might work with nontechnical VCs though, so you do you.
rho138•1h ago