RSS

Mythos found the bugs. Who pays for the fixes?

goodroot1 pts0 comments

Mythos found the bugs. Who pays for the fixes?<br>· opub

We can't find the internet

Attempting to reconnect

Something went wrong!

Attempting to reconnect

Update, June 9, 2026: Anthropic launches Claude Fable 5 and Claude Mythos 5.

In an interesting twist, the latest and greatest Anthropic models are only temporarily available with a subscription. After a short trial window, access to the frontier will require usage credits.

Previously, Claude Opus 4.8 cost the most: $5 / million input tokens, $25 / million output tokens. And the new Fable / Mythos? $10 per million input tokens and $50 per million output tokens. Double.

There's a storm brewing. In this article, we unpack a vital question: if these models are so proficient in finding vulnerabilities and are considered dangerous, who is going to pay the security bill after their release?

Once the safety harnesses soften, competitors catch up and projects face a deluge of required fixes, what happens?

For companies, fine. They will make a spreadsheet, and likely pass the costs to consumers.

For open source, it doesn't look good - that's the story we're after.

The Mythos Preview warning shot

Not two weeks ago, Canadian Prime Minister Mark Carney invoked the Mythos Preview, Anthropic's infamous Project Glasswing model, during a Q&A at the Economic Club of New York, a room filled with some of America's deepest pocketbooks.

While speaking on what he saw as three core factors driving broad inflationary market pressures, Carney named the third pillar:

"The cost of cyber protection . [...] Everyone knows what Mythos is in this room. And that's - I think - going to be the very early stages of a big operating spend that's going to be required to address those issues. The marginal cost of software is no longer zero, it's actually quite material, and it's likely to be there for some time."

So now, not only are companies spending massive sums of money on infrastructure for AI (another one of his pressures) and on tokens to use AI, there is an emerging third force: the cost of defending all the existing software AI is now able to scrutinize.

In its warning, the UK's National Cyber Security Centre speaks of an AI-fuelled "patch wave": a rush of software updates that will need to move across the stack as automated vulnerability discovery improves. That is a more sober version of the same premise. Discovery accelerates first, then everything else has to catch up.

Gnarly patch wave

Yikes. But is this incredible new pressure real?

Mythos is a-comin'

The strongest evidence in support comes from the groups actually running these systems against production-scale code.

Anthropic's own coordinated vulnerability disclosure dashboard is the bluntest version of the story. Though it would be, right?

As of May 22, 2026, it reports 23,019 Mythos candidate findings, 1,900 reviewed by external security firms, 1,596 disclosed vulnerabilities across 281 open source projects, and 97 patched upstream.

Those numbers do not mean every candidate is a real bug, or that every disclosed issue deserves an urgent patch. But they do show candidate generation moving faster than the disclosure and repair pipeline.

Morbid note: Anthropic calls independent human review the "rate-limiting step."

Just rate-limiting and clogging up the chocolatey money-river.

Mozilla's Firefox work is the best public example of Mythos producing a real defensive outcome. Mozilla wrote that Firefox 150 shipped fixes for 271 vulnerabilities identified during its Mythos evaluation. In its deeper write-up, the Firefox team described the shift with the memorable line: "Suddenly, the bugs are very good".

But there's an essential point that is easy to miss. Mozilla's result came not just from getting access to a powerful new model. Their follow-up stated that the impact came from both more capable models and better harnessing techniques .

Strap in: harness required

At Mozilla, Mythos had a very robust and helpful guardrail: their own harness. It's built on top of existing fuzzing infrastructure, uses parallelized jobs across ephemeral VMs, deduplicates findings, triages reports, tracks bugs, reviews patches, tests fixes, and manages releases. In April 2026, they fixed 423 security bugs. Over 100 people contributed code to that effort.

Cloudflare tells a similar story from a different angle. In "Project Glasswing: what Mythos showed us", Cloudflare calls Mythos "a real step forward," but the important part of the post is the workflow. They argue that "pointing a generic coding agent at a repo doesn't work" for meaningful vulnerability coverage.

This is Cloudflare, their existing security apparatus is robust. Their custom harness uses recon, hunt, validate, gapfill, dedupe, trace, feedback, and report stages. It runs many narrow tasks in parallel rather than asking one agent to be exhaustive. It's deep engineering.

As Krang, capable warlord, requires a robo-bod for (mostly) successful criminality.

That...

mythos bugs fixes anthropic tokens security

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.