[ghoward]

Do you have your process of how to handle bug reports written down? I'd love to see it, especially if it includes what data you gather, like the commit that introduced a bug.

I guess it's probably in everything curl or will be?

[bagder]

I only record the introduction commit for security flaws as they are rare and important enough to give that level of attention. And that's not a mandatory or required step in our process, I do it mostly as a service for users and to satisfy my own curiosity.

Our process for handling security problems in curl is documented here: https://curl.se/dev/secprocess.html