Mythos Model Uncovers Thousands of OSS Vulnerabilities
Anthropic's Claude Mythos model has made a significant discovery, identifying over 23,000 potential vulnerabilities across more than 1,000 open source software (OSS) projects. Of these, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed, including over 1,000 rated 'high' or 'critical' severity.
The findings are still being reviewed, and Anthropic estimates that nearly 3,900 critical and high-severity vulnerabilities will be confirmed based only on current findings. As the scans are ongoing, the company believes the number of severe vulnerabilities may reach 6,200.
Vendor Response and Patching
Anthropic says more than 1,100 unverified findings have been reported to vendors, and 75 issues with a critical or high severity rating have been patched. Vendors have published 65 security advisories. However, the company notes that the number of patches is still relatively low, citing three reasons: the 90-day window for coordinated vulnerability disclosure, undercounting of patches, and the overwhelming volume of vulnerabilities in the security ecosystem.
“The number of patches is still relatively low for three reasons. First, we’re still early in the 90-day window that’s set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon,” the AI company explained. “Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we’re reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem,” it added.
Claude Security and Project Glasswing
In response to the surge in AI-powered vulnerability discovery, Anthropic recently unveiled Claude Security, a codebase scanner designed to help developers find security issues in their applications. The company has also been testing Mythos Preview through Project Glasswing, which has been made available to roughly 50 organizations.
Several participants in Project Glasswing have reported positive results, including Mozilla, which found 271 Firefox vulnerabilities, and Palo Alto Networks, which discovered dozens of flaws. The UK government has also seen good results, and Google has been given access to Mythos, although it's unclear whether the recent surge in Chrome vulnerability detections is due to Mythos or the company's own AI tools.
Limitations and Future Plans
While some organizations have been impressed with the results, others have been less so. For example, Mythos found only one low-severity vulnerability in Curl, leading experts to debate whether this is a failure of the AI model or a testament to the open source data transfer tool's maturity.
Anthropic says it has yet to develop strong enough safeguards to prevent misuse of Mythos, but the company is working to add more organizations to Project Glasswing and hopes to make this class of models generally available in the near future.
- Related: The Mythos Moment: Enterprises Must Fight Agents with Agents
- Related: Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’
- Related: Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos
- Related: OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal
Source: SecurityWeek