The Maintainer Bill

Daniel Stenberg, the lead maintainer of curl, wrote on May 26 that incoming security reports are now arriving at four to five times the 2024 rate and double the 2025 rate, averaging better than one a day. With half a release cycle still to run, curl has twelve confirmed vulnerabilities pending, which puts the project on pace to clear thirty CVEs in 2026 before June, a record. Stenberg writes that, for the first time in his life, his wife voiced concerns about his work hours.

Curl is a small open-source command-line tool and code library used by almost every connected device to make HTTP requests on the internet. It ships inside iOS, Android, every major Linux distribution, Windows, in-car infotainment systems, the build pipelines that release your apps, and the API clients your developers reach for first. Stenberg has been the lead maintainer since 1997, working on it full-time since 2019, with a core team of a handful of contributors. The maintenance load that took years to build is, in practice, one person.

What changed around March 2026, by Stenberg's account, is not the volume of low-quality AI-generated slop reports that defined the 2024 problem. What's now flooding curl is high-quality work: detailed, well-written, accurately reasoned vulnerability reports that the curl team has to take seriously because most of them turn out to be real. AI-assisted security research stopped being a noise source and became a signal source, and the signal volume is now larger than one full-time maintainer can process.

That asymmetry is worth holding still on. The same enterprise that's celebrating a 25% Claude Code commit rate is, this week, sending Stenberg more high-quality security reports than he can triage, by a factor he didn't sign up for and isn't being paid to absorb.

Imagine a 600-person engineering org that licensed Claude Enterprise last quarter and saw real productivity gains. Tickets would close faster, code review queues would thin out, the CTO would have internal numbers that make her quarter. None of that productivity would touch the curl project, the OpenSSL project, the libxml2 project, or any of the other small-team and one-maintainer dependencies the org's stack runs on. What would touch those projects is the side effect: the same productivity tools, in the hands of bug-bounty researchers and security firms, would generate detailed vulnerability reports at a rate Stenberg called "never-before seen."

The economic shape is clean: enterprises capture the productivity gain, AI labs capture the revenue, and open-source maintainers, who are almost entirely volunteer or thinly sponsored, absorb the resulting cost in maintenance hours. The closed-loop figure isn't a metaphor. Every dollar of AI productivity gain at the top of the stack is partly underwritten by a fixed-cost maintenance pool at the bottom that nobody is paying to expand.

The steelman is that better-quality security reports produce more secure software, and that's a real public good. True, and curl has fixed thirty vulnerabilities this year that wouldn't have been found at all without the surge. The good is real; the problem isn't that the security research is bad, it's that the receiving infrastructure was sized for 2024 report volume and is being asked to absorb 2026 volume with the same number of maintainers. Other infrastructure-tier open source projects are running the same math and starting to publicly note it, and none of them have a way to scale their maintenance pool either.

The thing worth seeing is that AI productivity, as it's currently priced, doesn't internalize this cost. The buyer's per-seat AI bill flows to Anthropic or OpenAI while the resulting maintenance hours flow to Stenberg, and the supply chain stability of the enterprise stack quietly depends on whether the maintainers it's never paid keep working hours their own families have started to question.

What to Do With This

This week, pick three open-source projects your production stack depends on. Curl, OpenSSL, libxml2, jq, Postgres extensions, the Python packages that sit two levels deep in your requirements file. Find each project's sponsorship page or maintainer's GitHub Sponsors. Send each one some money, with a real comment about which of your products their work keeps running.

The amount is less important than the act of marking the dependency on your own books. You don't have to absorb the full externality, but the firms that send nothing are running a free-ride strategy that has a brittle expiration date.

Also on the Radar

Anthropic's Run-Rate Revenue Hits $47B in Series H Disclosure

Anthropic disclosed a $47 billion run-rate revenue figure in its Series H announcement, up from $30 billion in April and $9 billion at the end of 2025. Simon Willison's May 29 compilation walks the trajectory: roughly doubling every quarter. The buyer-side question stops being whether AI vendors are viable businesses and starts being which of them can still be acquired at any reasonable valuation.

Coding Agents Are the AI Category That Found Product-Market Fit

Simon Willison argued on May 27 that Anthropic and OpenAI have hit genuine PMF on enterprise coding agents specifically, not chat. Evidence: both labs shifted enterprise pricing to API-rate seats in April, Uber disclosed 25% of code commits via Claude Code last quarter, and Anthropic's hiring mix is now 26.9% enterprise-focused (OpenAI 32.6%). If your team is still benchmarking on chat use cases, you're measuring the wrong category.