Comment by simonw

Presumably the bug reports were private because some of them might relate to curl security.

You can see the fixes that resulted from this in the PRs that mention "sarif" in the curl repository: https://github.com/curl/curl/pulls?q=is%3Apr+sarif+is%3Aclos...