Anthropic methods open‑sourced

A software bug is a mistake in code; a zero-day is one nobody has found and fixed yet. Anthropic said on April 7 that its Project Glasswing workflow had already uncovered thousands of high-severity flaws, and Eric Hartford has now published an open-source version called Clearwing. (anthropic.com) (github.com) Anthropic said its unreleased Claude Mythos 2 Preview found vulnerabilities in every major operating system and every major web browser during internal testing. The company said more than 99% of the flaws it found were still unpatched, so it withheld technical details under coordinated disclosure rules. (anthropic.com) On April 7, Anthropic launched Project Glasswing with 12 named partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. It also said it had extended access to more than 40 additional organizations that maintain critical software. (anthropic.com) Clearwing tries to reproduce that playbook with publicly available models instead of Anthropic’s unreleased one. Hartford’s GitHub repository describes it as an “autonomous vulnerability scanner and source-code hunter” built on LangGraph. (github.com) The source-code side works like a triage line for code. Clearwing says it ranks files by likely attack surface, sends separate agents to inspect them, uses AddressSanitizer and UndefinedBehaviorSanitizer crashes as proof that a bug is real, then runs a second-pass verifier before writing reports. (github.com 1) (github.com 2) The network-testing side is broader than code review alone. The README says the tool has 63 bound tools, can scan live targets, run Kali Linux tools in a sandbox, attempt exploits behind a human-approval gate, and store findings in a persistent knowledge graph. (github.com) Hartford’s repository says Clearwing supports multiple model providers, including Anthropic, OpenRouter, Ollama, LM Studio, and “any OpenAI-compatible endpoint.” A commit log shows the project’s public release work landed in mid-April, with a 1.0.0 release workflow and README updates on April 15. (github.com 1) (github.com 2) Anthropic framed Glasswing as a defensive program, not a public product launch. The company said it is committing up to $100 million in Mythos Preview usage credits and $4 million in direct donations to open-source security groups. (anthropic.com) The Clearwing README also carries a warning that cuts the other way. It calls the software a “dual-use offensive-security tool” and says operators should run it only on targets they own or have explicit written authorization to test. (github.com) That leaves the same fact at the center of both projects: the workflow for turning language models into bug hunters is no longer confined to one lab. Anthropic kept Mythos private, but the mechanics of the hunt are now public code. (anthropic.com) (github.com)