Mythos found 6,202 critical bugs. Now who fixes them?

Anthropic's first public update on Project Glasswing is the rare AI-capability claim that arrives with independent corroboration — and, just as importantly, with its own caveats stated plainly. Six outside security firms reviewed a sample of the findings; Anthropic published the validation rate alongside the raw count rather than just the headline. That matters, because AI security claims — where self-serving pressure is highest — usually arrive without either. But the most important number here isn't the vulnerability count. It's what the vulnerability count reveals about the machinery downstream.

Scanning more than 1,000 open-source projects, Mythos Preview surfaced 6,202 high- or critical-severity vulnerabilities out of a total of 23,019 findings. Those aren't the same thing: 23,019 is everything the system flagged; 6,202 is the subset reviewers rated as serious — a reminder that raw discovery counts aren't impact counts. The accuracy claim needs equal care. Anthropic did not say 90.6% of all 6,202 are real. It said a sample of 1,752 of those high/critical findings was independently assessed by six security firms, and within that sample 90.6% (1,587) were valid true positives, with 62.4% (1,094) confirmed as high or critical. Read precisely, that is still an unusually clean signal for an automated tool at this scale — but it is a validated sample, not a blanket certificate over the full set, and the honest version of the claim says so.

Concrete examples add texture to the aggregate. The flagship finding was a certificate-forgery flaw in wolfSSL (CVE-2026-5194, CVSS 9.1) — a widely deployed TLS/SSL library embedded in billions of devices. Mythos didn't just flag it; it constructed a working exploit that could forge certificates and impersonate a bank or email provider. It has since been patched. Other examples reach back decades: a 27-year-old TCP-SACK flaw in OpenBSD (a subtle logic bug, not a dusty unsafe-function) that lets an attacker remotely crash a device, and a 16-year-old bug in FFmpeg. These aren't toys. They are the kind of vulnerability that, left unaddressed, ends up in national-security advisories.

Project Glasswing operates as a restricted early-access programme — roughly 50 vetted partners were given access to Mythos Preview, all of them defensive security teams. The partner list (per Engadget's reporting on 26 May) includes AWS, Apple, Google, Microsoft, NVIDIA, JPMorganChase, Cloudflare, Mozilla and the Linux Foundation — heavy enough to give the programme's results credibility across multiple threat surfaces. Anthropic reports that Glasswing partners' own bug-finding output rose by more than a factor of ten compared with pre-Mythos baselines, and the partner-level numbers bear it out: Cloudflare reported roughly 2,000 bugs (about 400 high or critical) with a false-positive rate it judged better than its human testers', and Mozilla found 271 vulnerabilities in Firefox 150. It isn't just that Mythos is good at this — it's that existing security teams, given the tool, immediately produced an order of magnitude more throughput. The limiting factor was never human skill at recognising a vulnerability once found. It was the speed of looking.

For context, consider what the programme is not. It is not a public release. It is not a benchmark on a curated dataset. It is a live, operational security scan of real open-source code used by real systems, and the results fed back into real patch queues. That's a different claim to 'our model scores well on CyberSecEval' — and a more credible one.

Anthropic's public response to this asymmetry is an admission that the discovery engine has outrun the repair pipeline — and, tellingly, it is tooling and labour, not a cheque. The update names a partnership with the OpenSSF Alpha-Omega project (which funds maintenance of the most critical open-source software), a Claude Security public beta (Anthropic says Claude Opus 4.7 was used to patch over 2,100 vulnerabilities in three weeks), free Mythos tooling for qualifying security teams, and a Cyber Verification Program for vetted defenders. There is no headline dollar pledge — a detail worth flagging, because the patching gap is a human-hours problem that credits alone would not fix. But the structural read still holds: Glasswing flagged thousands of critical bugs in a matter of months. It will take far longer to patch them all, and in the meantime they sit in a database Anthropic has not made fully public. The dataset remains aggregate and example-based rather than open — which limits what external researchers can independently reproduce, though the six-firm sample assessment is the clearest external check available.

Three things are worth tracking. First, patch velocity: the interesting question isn't how many flaws Mythos can find but whether the repair rate improves proportionally. Anthropic's own dashboard already tells the story — high/critical findings average around two weeks to patch, some maintainers have asked Anthropic to slow disclosure, and only a fraction of reported bugs have shipped fixes. If the OpenSSF support and tooling don't accelerate patching, the programme widens the window of known-but-unpatched exposure rather than closing it. Second, offensive capability: the same model characteristics that make Mythos good at finding exploitable conditions make it valuable for building exploits — and at least one security firm says it reproduced comparable findings with public models, so the capability may not stay contained for long. Anthropic's restriction to vetted defenders is the only current safeguard, and it is a policy rather than a technical one. Third, the dataset question: a full public release of the finding set — with partner sign-off and responsible-disclosure timelines — would turn this from a credible vendor claim into a verifiable scientific result. The six-firm sample assessment is a strong proxy; it is not a substitute for reproducibility.