Stanislav Fort

QUIC pin public key bypass.

CVE 2025-14017.

Threaded IDAPS TLS options broken.

CVE 2025-1 for 819.

OpenSSL partial chain store policy bypass.

In the CURL 8.18.0 release January 8, 2026, we were in fact responsible for three of the six CVEs disclosed and fixed.

After initial HackerOne reports, we moved to direct private communication with the Curl security team, reporting over 30 additional issues, the majority of which were valid, true positive security issues, 24 Curl PRS now include some variant of reported by.

Stanislav fought as a result.

In October 2025, Daniel Stenberg wrote a new breed of analyzers acknowledging that some AI-driven security research was producing genuinely valuable results.

He explicitly mentioned AI-drive discovery.

As we started to plow through the huge list of issues from Joshua, we received yet another security report against Curl.

This time by Stanislav Fortfromile, using their own AI-powered tooling and pipeline for code analysis.

Getting security reports is not uncommon for us, we tend to get two to three every week, but on September 23rd we got another one we could confirm was a real vulnerability.

Again, an AI-powered analysis tool had been used.

End quote.

In his Curl 2025 year in review, under AI improvements, Daniel Stenberg even wrote directly.

Quote.

A new breed of AI-powered high-quality code analyzers, primarily ZeroPath and I'll Research, started pouring in bug reports to us with potential defects.

We have fixed several hundred bugs as a direct result of those reports.

So far.