Anthropic's Mythos model surfaces

Anthropic has surfaced a restricted AI model called Claude Mythos Preview that it says can find and exploit previously unknown software flaws. (red.anthropic.com) Software vulnerabilities are mistakes in code that can let attackers crash programs, steal data, or run their own commands. Anthropic said on April 7 that Mythos Preview could identify and exploit zero-day bugs across every major operating system and every major web browser in its testing. (red.anthropic.com) Anthropic said many of the bugs Mythos found were 10 to 20 years old, and the oldest disclosed example was a 27-year-old OpenBSD flaw that has since been patched. The company also said more than 99% of the vulnerabilities it found were still unpatched, which is why it withheld technical details. (red.anthropic.com) The company paired the model’s debut with Project Glasswing, a defense-focused program announced April 7. Anthropic said launch partners include Amazon Web Services, Apple, Cisco, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation, with access also extended to more than 40 other organizations. (anthropic.com) Anthropic said it is committing up to $100 million in usage credits and $4 million in donations to open-source security groups through Glasswing. The company said partners are using Mythos Preview for defensive work on critical software rather than broad public testing. (anthropic.com) The immediate test case came from Mozilla. Mozilla said this week that Firefox 150 shipped fixes for 271 vulnerabilities identified during an initial evaluation of an early Mythos Preview model. (blog.mozilla.org) Mozilla’s Bobby Holley said the result changed the scale of code review, but he also said the company had not seen bugs that “couldn’t have been found by an elite human researcher.” SecurityWeek reported that only three Firefox 150 issues were publicly credited to Claude in Mozilla’s advisory, suggesting many of the 271 fixes were lower-severity or non-CVE issues. (blog.mozilla.org) (securityweek.com) Anthropic has tried to frame the release around controlled disclosure. In a March 6 policy update, the company said it aims to follow a 90-day disclosure deadline, with shorter seven-day targets for actively exploited critical bugs and 45 days before publishing full technical details after a patch is available. (anthropic.com) The company has also published a separate risk report for Mythos Preview and said the model first saw internal deployment before a small external research-access program. That combination of restricted access, vulnerability disclosure rules, and partner testing has turned Mythos into both a security tool and a policy test for how frontier AI systems get handled when they can do offensive work. (anthropic.com) (red.anthropic.com) The next question is not whether AI can scan code faster than humans. Anthropic and Mozilla have already put numbers on that; the question now is how many of these systems stay in defender hands before the same methods spread wider. (red.anthropic.com) (blog.mozilla.org)