In a significant shift, Anthropic has amended its disclosure policies for Project Glasswing, allowing cybersecurity partners using its Mythos model to share findings with external parties. This change departs from the previous policy that restricted partners from disclosing any vulnerability insights, effectively keeping valuable information within the program. The update aims to strengthen collective defense against cyber threats, especially for smaller organizations lacking stable cybersecurity resources.
The revised rules, communicated to partners last week, allow organizations to disclose their involvement in Project Glasswing and share findings, tools, best practices, and code with various stakeholders, including regulators and open-source communities. Anthropic has stressed that any sharing must follow responsible-disclosure standards to mitigate risks tied to releasing sensitive information.
This decision comes amid increasing pressure from lawmakers and industry advocates who argue that previous confidentiality measures hindered essential collaboration in combating cybersecurity threats. A letter from Rep. Josh Gottheimer, co-chair of a House Democratic AI commission, highlighted the need for transparency in cybersecurity efforts. He stated that organizations should not be contractually limited in their ability to inform others about urgent cyber risks. Gottheimer also urged competitors like OpenAI to adopt similar transparent practices.
Project Glasswing, which launched in April, has garnered participation from around 50 major companies managing critical digital infrastructure, including tech giants such as Amazon Web Services, Google, and Microsoft. Initial disclosures from participants like Palo Alto Networks and Mozilla indicate that Mythos has been crucial in identifying software vulnerabilities on a scale previously unattainable through conventional methods. Anthropic claims that Mythos has detected thousands of zero-day vulnerabilities during testing, achieving successful exploit development in over 83% of cases.
The implications of these findings extend beyond the immediate participants of the program. With U.S. banks utilizing Mythos to address recently uncovered vulnerabilities, there is an expectation for these findings to be shared with regional and community banks that do not have direct access to the platform. This interconnected approach could significantly enhance the cybersecurity posture of smaller institutions that are often prime targets for cyberattacks.
Despite the relaxed rules, partners must still follow responsible-disclosure conventions. This includes ensuring adequate patching timelines and refraining from releasing potentially harmful details. Such measures aim to balance the need for transparency with the necessity of cybersecurity, preventing sensitive information from being exploited by malicious actors.
As the cybersecurity landscape continues to evolve, the success of Anthropic's revised disclosure policies may set a precedent for other organizations in the AI and tech sectors. The growing recognition of the need for collaboration in addressing cyber risks could prompt more companies to reevaluate their own disclosure practices, fostering a culture of shared responsibility and proactive defense against increasing cyber threats.
