RSS

Anthropic's coordinated vulnerability disclosure dashboard

Levitating2 pts0 comments

Anthropic's coordinated vulnerability disclosure dashboard

Anthropic's coordinated vulnerability disclosure dashboard

Last updated 2026-05-22 10:27 PT.

In February 2026, Anthropic began using an early snapshot of Claude Mythos Preview to find security vulnerabilities in open-source software. We then partnered with external security research firms to triage findings, validate them, and report human-reviewed critical- or high-severity vulnerabilities to the software's maintainers under our Coordinated Vulnerability Disclosure policy. This page tracks the findings that we've disclosed, and, in line with our policy, publishes details of the ones whose disclosure window has now closed.

As of May 22, 2026, we've disclosed 1,596 vulnerabilities across 281 open source projects. To our knowledge, 97 of these have been patched. Of those, 88 have been assigned a Common Vulnerabilities and Exposure (CVE) record or a GitHub Security Advisory (GHSA). In other cases, maintainers have shipped a fix without publishing an advisory. The number of vulnerabilities we've disclosed is a subset of the total number of vulnerabilities that Mythos Preview has found, since the process of independent human triage and review is the rate limiting step.

This page covers a headline count of the vulnerabilities we've disclosed, and a breakdown of these by class. For those vulnerabilities we've disclosed and where the disclosure window has now closed, it also includes identifier records (CVE & GHSA) and finding details, further below.

Finally, it includes a disclosure ledger, which lists a hash commitment for every finding we've disclosed that is still inside the disclosure window, so that the finding's existence and commitment date can be proved without revealing its content.

Discovered<br>Triaged

23,019 findings<br>Candidates

1,900 findings<br>Reviewed by external security firms

1,726 findings<br>Confirmed valid<br>90.8% true positives of 1,900

467 findings<br>Reported to maintainers

1,129 findings<br>Reported direct to maintainers by Anthropic, at their request<br>May contain false positives

Disclosed<br>Remediated

1,596 findings<br>Total reported to maintainers

1,451 findings<br>Acknowledged by maintainer

97 findings<br>Patched upstream

88 advisories<br>Security advisories published

Counts as of May 22, 2026

The statistics above reflect all bugs found by Claude Mythos Preview. In the near future, we'll add the ability to filter this data by severity. These figures are designed to reflect our coordinated vulnerability disclosure process, which works approximately as follows. A glossary of the terms is available on the About page.

First, Mythos Preview finds candidate vulnerabilities, which we add to a list for human triage. This is the figure at the top.

Then, in order to disclose a vulnerability to a maintainer, we take one of two steps.

Triage: In most cases, we pass them to one of six external security research firms that we have engaged for this endeavor, or we triage them ourselves. We or the security research firms reproduce each issue, assess whether it is a real bug (and if so, assess how severe it is), and then write a report for confirmed bugs that will go to the project's maintainer. Importantly, there are many additional bugs that we or our security partners have investigated and confirmed are real but that we have not yet reported to maintainers, due to capacity limitations.

In our triage process, the "true positive rate" (the number of findings confirmed as valid, as a share of the number of findings manually reviewed) reflects how often the external security research firms determined that a finding Mythos Preview produced was a real vulnerability. This includes real bugs that we later discover have already been reported, and "won't fix" findings (the bug is real, but the maintainer is unlikely to address it—e.g. because it falls outside the project's threat model, or affects code that isn't typically reachable). We include these in the true positive rate because we're reliant on our security research partners (rather than maintainers) to tell us how many bugs they've confirmed, and it's only after the maintainers have received the report and assessed the vulnerability that we'll learn whether a vulnerability is one they plan to fix. For this reason, it's also possible that a vendor has marked a vulnerability as a true positive (or a false positive) in error. Given this, the number of "true positives" in the dashboard above should only be taken as one proxy for impact. Another, more reliable one is the number of patches created, though this is only a lagging indicator of progress, since patches take a long time to create.

Direct disclosure: Some vulnerabilities are disclosed to maintainers directly by Anthropic staff, and don't go through the same independent check. This happens when maintainers specifically request that we provide them un-triaged findings.

Once bugs have either been triaged or directly disclosed, "Acknowledged by...

findings vulnerability disclosure security vulnerabilities maintainers

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.