Anthropic’s Claude Mythos Uncovers Over 10,000 Vulnerabilities in Software Security

The software security field has undergone a significant transformation with the release of Anthropic's Project Glasswing results, revealing that Claude Mythos has detected over 10,000 high- or critical-severity vulnerabilities in just one month. This eye-opening figure, compiled from various partners, underscores a pressing challenge: while identifying vulnerabilities has become efficient, resolving them remains difficult.

A Shift in Approach

When Glasswing launched on April 7, Anthropic took a cautious approach, focusing on what would not happen regarding the release of Mythos Preview. However, the results published on May 22 indicate a shift in narrative. The company now expresses conditional optimism about making Mythos-class models publicly available, depending on the development of stronger safeguards. This change in tone suggests a potential evolution in the future of AI-driven security solutions.

The findings stem from a collaborative effort involving around 50 partner organizations, including notable contributors like Cloudflare and Mozilla. Cloudflare reported discovering 2,000 bugs, 400 of which were classified as high or critical severity. Meanwhile, Mozilla's use of Claude Opus 4.6 led to the identification of over 271 vulnerabilities in Firefox 150, marking a significant increase compared to earlier versions.

The Patching Predicament

Despite the impressive rate of discovery, a bottleneck has emerged in the vulnerability management process. Open-source maintainers are struggling to keep pace with the surge of reports, prompting several to request that Anthropic slow down its disclosure pace. Of the 530 high or critical-severity vulnerabilities disclosed, only 75 have been patched thus far. The average patching time for these vulnerabilities is around two weeks, creating a widening gap between discoveries and their remediation.

Daniel Stenberg, founder of cURL, noted that the increased reporting burden on maintainers exacerbates existing challenges within the open-source community. In response, Anthropic has committed $4 million to support the Open Source Security Foundation's Alpha-Omega project, which aims to help maintainers manage the growing number of reports more effectively.

Entering the Public Beta Phase

As Anthropic navigates these complexities, it has also launched Claude Security in public beta for enterprise customers. This tool employs Claude Opus 4.7 to scan code repositories for vulnerabilities and propose fixes. Within three weeks of its introduction, over 2,100 vulnerabilities have been patched, demonstrating a quicker response time compared to open-source efforts.

The introduction of a Cyber Verification Program allows vetted security professionals to use Anthropic's models for legitimate security assessments, although this comes without certain standard safeguards, raising concerns about potential misuse.

Regulatory Scrutiny and Future Directions

The May 22 update has drawn attention from regulators, with the Financial Stability Board seeking a briefing on the cybersecurity vulnerabilities identified by Mythos. This interest reflects a growing awareness of the risks posed by AI-driven technologies in critical sectors, such as finance. The governor of the Bank of England has emphasized the need for financial institutions to prepare for potential threats identified by Mythos.

While the confirmed findings paint a clear picture of vulnerabilities, speculation continues regarding the timeline for a public release of Mythos. Anthropic has not provided a specific date, but the intent to eventually release these models is apparent. Experts suggest that limited enterprise access may not occur until late 2026, with broader availability likely extending into 2027 or beyond.

The dramatic increase in vulnerability discovery enabled by Claude Mythos highlights both the potential and limitations of AI in cybersecurity. As the industry confronts the implications of these findings, effective patch management and regulatory oversight will be key in shaping the future of software security.