RSS

Mythos found the bugs. Who funds the fixes?

goodroot1 pts1 comments

Mythos found the bugs. Who funds the fixes?<br>· opub

We can't find the internet

Attempting to reconnect

Something went wrong!

Attempting to reconnect

Canadian Prime Minister Mark Carney invoked Mythos, Anthropic's infamous Project Glasswing model, during a Q&A at the Economic Club of New York, a room filled with some of America's deepest pocketbooks.

While speaking on what he saw as three core factors driving broad inflationary market pressures, Carney named the third pillar:

"The cost of cyber protection . [...] Everyone knows what Mythos is in this room. And that's - I think - going to be the very early stages of a big operating spend that's going to be required to address those issues. The marginal cost of software is no longer zero, it's actually quite material, and it's likely to be there for some time."

So now, not only are companies spending massive sums of money on infrastructure for AI (another one of his pressures) and on tokens to use AI, there is an emerging third force: the cost of defending all the existing software AI is now able to scrutinize.

In its warning, the UK's National Cyber Security Centre speaks of an AI-fuelled "patch wave": a rush of software updates that will need to move across the stack as automated vulnerability discovery improves. That is a more sober version of the same premise. Discovery accelerates first, then everything else has to catch up.

Gnarly patch wave

Yikes. But is this incredible new pressure real?

Mythos is a-comin'

The strongest evidence in support comes from the groups actually running these systems against production-scale code.

Anthropic's own coordinated vulnerability disclosure dashboard is the bluntest version of the story. Though it would be, right?

As of May 22, 2026, it reports 23,019 Mythos candidate findings, 1,900 reviewed by external security firms, 1,596 disclosed vulnerabilities across 281 open source projects, and 97 patched upstream.

Those numbers do not mean every candidate is a real bug, or that every disclosed issue deserves an urgent patch. But they do show candidate generation moving faster than the disclosure and repair pipeline.

Morbid note: Anthropic calls independent human review the "rate-limiting step."

Silly humans! Just clogging up the chocolate money-river.

Mozilla's Firefox work is the best public example of Mythos producing a real defensive outcome. Mozilla wrote that Firefox 150 shipped fixes for 271 vulnerabilities identified during its Mythos evaluation. In its deeper write-up, the Firefox team described the shift with the memorable line: "Suddenly, the bugs are very good".

But there's an essential point that is easy to miss. Mozilla's result came not just from getting access to a powerful new model. Their follow-up stated that the impact came from both more capable models and better harnessing techniques .

Strap in: harness required

At Mozilla, Mythos had a very robust and helpful guardrail: their own harness. It's built on top of existing fuzzing infrastructure, uses parallelized jobs across ephemeral VMs, deduplicates findings, triages reports, tracks bugs, reviews patches, tests fixes, and manages releases. In April 2026, they fixed 423 security bugs. Over 100 people contributed code to that effort.

Cloudflare tells a similar story from a different angle. In "Project Glasswing: what Mythos showed us", Cloudflare calls Mythos "a real step forward," but the important part of the post is the workflow. They argue that "pointing a generic coding agent at a repo doesn't work" for meaningful vulnerability coverage.

This is Cloudflare, their existing security apparatus is robust. Their custom harness uses recon, hunt, validate, gapfill, dedupe, trace, feedback, and report stages. It runs many narrow tasks in parallel rather than asking one agent to be exhaustive. It's deep engineering.

As Krang, capable warlord, requires a robo-bod for (mostly) successful criminality.

That should temper things. What works is not a "throw it into the model's gaping maw" pass over a full repository. Mythos' success is enabled and catalyzed by a sophisticated security pipeline in a strong organization.

Independent offensive security work points the same way. XBOW's evaluation calls Mythos powerful but not magical, and still recommends a multi-model pipeline rather than exclusive reliance on Mythos. AISLE's public-model work is another useful counterweight: smaller and public models can find real vulnerabilities... when they are wrapped in a capable harness.

Daniel Stenberg's curl write-up is also a useful reality check. In "Mythos finds a curl vulnerability", he writes: "Five findings became one". Mythos analyzed about 178K lines in curl's src/ and lib/ directories and reported five "confirmed security vulnerabilities." The curl team reduced those to one confirmed low-severity vulnerability, three false positives, and one ordinary bug.

We've found a middle ground: Mythos is powerful, but not magical.

AI-assisted...

mythos security bugs model vulnerability real

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.