AI found 10,000 severe bugs; patching is now the bottleneck
Original: Project Glasswing: An initial update View original →
Software security is entering a phase where finding vulnerabilities may no longer be the slow part. In a May 22 update on Project Glasswing, Anthropic said Claude Mythos Preview and roughly 50 partners have identified more than 10,000 high- or critical-severity vulnerabilities in systemically important software.
The numbers make this more than another AI security demo. Anthropic said it has also used Mythos Preview over the last few months to scan more than 1,000 open-source projects. Across those projects, the model produced 23,019 candidate findings, including 6,202 that it estimated as high or critical severity.
The post gives a rare look at the triage funnel behind AI-assisted vulnerability discovery. Anthropic said 1,752 of the high- or critical-rated findings were assessed by one of six independent security research firms or, in a small number of cases, by Anthropic itself. Of those, 90.6%, or 1,587 findings, were valid true positives. Another 62.4%, or 1,094 findings, were confirmed as high or critical severity.
Those rates imply a large downstream workload. Anthropic says that even if Mythos Preview finds nothing else, the current post-triage rates put it on track to surface nearly 3,900 high- or critical-severity vulnerabilities in open-source code, before counting partner findings. That turns the security question from model capability into remediation capacity.
Anthropic is still following coordinated vulnerability disclosure norms: roughly 90 days after discovery, or about 45 days after a patch is available. That is why the company is withholding most technical details for now. The delay protects users, but it also highlights the new constraint: humans still have to reproduce issues, judge severity, notify maintainers, design fixes, and get patches deployed.
The company also said Mythos-class models are not being released broadly yet because safeguards are not strong enough to prevent misuse. Glasswing’s next phase will expand to additional critical partners, including U.S. and allied governments. The metric to watch is not just how many bugs AI can find, but how many confirmed findings become shipped fixes before attackers can exploit the same discovery curve.
Related Articles
Anthropic published a coordinated vulnerability disclosure framework on March 6, 2026 for vulnerabilities discovered by Claude. The policy sets a default 90-day disclosure path, a compressed 7-day path for actively exploited critical bugs, and a 45-day buffer after patches before technical details are usually published.
Anthropic announced Project Glasswing on April 7, 2026, giving defenders early access to Claude Mythos Preview to secure critical software. The initiative launches with major tech and financial partners plus up to $100 million in usage credits and $4 million in open-source security donations.
Anthropic is in talks to raise at least $30 billion at a pre-money valuation exceeding $900 billion, propelled by ARR surpassing $45 billion — an ~80× year-over-year increase.
Comments (0)
No comments yet. Be the first to comment!