Funded by the German government's sovereign tech fund [0]. One must really highlight that this is really some good spending of my tax money.

[0] https://www.sovereigntechfund.de/

This is briefly mentioned in the article, but from the report[1]:

> It should be noted that the scope of the code reviewed within this audit is relatively narrow. In particular, while we audited cURL’s use of the third-party libraries ngtcp2, nghttp3, quiche, and msh3 to implement HTTP/3 functionality, we did not investigate the internals of those libraries—which is where the majority of the low-level parsing and data transformation necessitated by the HTTP/3 protocol occurs.

the report goes on to concede

> [we] did not observe any coverage of the nghttp3 library code. We suspect that, as the HTTP/3 protocol itself is significantly intertwined with TLS, the encryption makes it hard for a fuzzer to progress to the point where data can be decoded and parsed meaningfully.

[1] https://curl.se/docs/audit/trail-of-bits-http3-report.pdf

To be clear, the "brief" reference is this:

> Because of curl’s use of third party libraries for doing QUIC and HTTP/3, the report advises that there should be follow-up audits of the involved libraries. Fair proposal, but that is of course something that is beyond what we as a project can do.

Indeed, the next thing would be for the third-party libraries to go through a similar audit!