Anthropic Glasswing month 1 — 10,000+ critical bugs, humans can't patch fast enough
TL;DR
Anthropic Project Glasswing's first month: Claude Mythos Preview and ~50 partners found 10,000+ high/critical vulnerabilities in major systems software. Of ~6,202 disclosed, only 75 patched. Humans can't keep up.
Background: Anthropic last month launched Project Glasswing cybersecurity initiative. In one month, its unreleased Claude Mythos Preview model and ~50 partners have found over 10,000 high or critical-severity vulnerabilities in the world's most important systems software.
Bottleneck flip — finding bugs is fast, patching isn't. Past software security progress was bottlenecked by the human rate of finding new bugs. The game changed: the bottleneck is now human capacity to verify, disclose, and patch the volume AI uncovers. Anthropic scanned thousands of open-source projects, estimating up to 6,202 high-severity vulnerabilities. Only 530 have been disclosed to maintainers — only 75 fixed. AI accuracy isn't the issue. Open-source community human capacity has hit its limit — facing an AI-scale «bug finder», many maintainers have asked Anthropic to slow disclosure to gain time to design patches.
Defenders' asymmetric edge. Partners like Cloudflare and Mozilla report 10×+ improvements in vulnerability discovery. This gives system-critical infrastructure defenders a major asymmetric advantage. To protect end users, Anthropic adheres strictly to 90-day coordinated disclosure conventions. Current public patch counts are a lagging indicator of AI cyberattack acceleration — most details remain temporarily sealed.
Why not release the Mythos model. This also explains why Anthropic hasn't opened Mythos-tier access. Officially: no company (including Anthropic) has yet developed guardrails strong enough to prevent abuse of «hacker-tier» models. Unrestricted release would put cheap, easy software exploitation in nearly anyone's hands.
Project Glasswing's core strategy: before such capable models inevitably spread or fall into bad hands, vaccinate global cyber infrastructure first.
via Anthropic
Bottleneck flip — finding bugs is fast, patching isn't. Past software security progress was bottlenecked by the human rate of finding new bugs. The game changed: the bottleneck is now human capacity to verify, disclose, and patch the volume AI uncovers. Anthropic scanned thousands of open-source projects, estimating up to 6,202 high-severity vulnerabilities. Only 530 have been disclosed to maintainers — only 75 fixed. AI accuracy isn't the issue. Open-source community human capacity has hit its limit — facing an AI-scale «bug finder», many maintainers have asked Anthropic to slow disclosure to gain time to design patches.
Defenders' asymmetric edge. Partners like Cloudflare and Mozilla report 10×+ improvements in vulnerability discovery. This gives system-critical infrastructure defenders a major asymmetric advantage. To protect end users, Anthropic adheres strictly to 90-day coordinated disclosure conventions. Current public patch counts are a lagging indicator of AI cyberattack acceleration — most details remain temporarily sealed.
Why not release the Mythos model. This also explains why Anthropic hasn't opened Mythos-tier access. Officially: no company (including Anthropic) has yet developed guardrails strong enough to prevent abuse of «hacker-tier» models. Unrestricted release would put cheap, easy software exploitation in nearly anyone's hands.
Project Glasswing's core strategy: before such capable models inevitably spread or fall into bad hands, vaccinate global cyber infrastructure first.
via Anthropic
