Anthropic formalizes disclosure rules for Claude-discovered vulnerabilities
Original: Coordinated vulnerability disclosure for Claude-discovered vulnerabilities View original →
On Mar 6, 2026, Anthropic published a coordinated vulnerability disclosure policy for vulnerabilities discovered with assistance from Claude. The company says every report it sends will be reviewed and confirmed by a human security researcher, and findings that originate from AI-powered discovery will be explicitly labeled as such.
The policy sets a default 90-day disclosure deadline from the initial report to public disclosure. If a maintainer needs more time near the end of that window, Anthropic says it may grant a 14-day extension on request. For actively exploited critical vulnerabilities, the timeline is much shorter: Anthropic targets a patch or mitigation within 7 days and may allow an additional 7 days if the maintainer is actively working on a fix.
Anthropic also lays out how it wants to reduce operational burden on vendors and open-source maintainers. It says it will include candidate fixes where possible, avoid dropping large volumes of findings on a single project without coordination, and escalate to an external vulnerability coordinator if a maintainer does not respond within 30 days. For ecosystem-wide issues that affect many projects, the company says it will notify affected parties and give them time to respond before technical details become public.
Another notable detail is the publication buffer after a patch exists. Anthropic says it will generally wait 45 days before releasing full technical details so downstream users have time to deploy fixes. That delay can be shortened if the information is already public or if earlier publication would materially help defenders respond to ongoing attacks. It can also be extended when remediation is unusually complex or the affected footprint is unusually broad.
The update matters because AI-assisted vulnerability discovery is moving from demonstration to operational workflow. Anthropic is trying to show that frontier-model tooling can fit inside established disclosure norms instead of bypassing them. That makes the policy relevant not only for Claude users, but also for software vendors, open-source maintainers, and security teams deciding how AI should participate in offensive security research and coordinated disclosure.
Related Articles
Axios reports the NSA is using Anthropic's Mythos Preview even as Pentagon officials call the company a supply-chain risk. The clash puts AI safety limits, federal cyber demand, and procurement politics in the same room.
Why it matters: the same model Anthropic framed as too dangerous for public release was reportedly exposed twice in quick succession. The Verge says Mythos was first revealed through an unsecured data trove, then reached by unauthorized users from day one through guessed infrastructure and contractor access.
Why it matters: persistent memory is one of the missing pieces between demo agents and useful long-running agents. Anthropic pushed the feature into public beta on April 23 and framed it as a memory layer that learns from every session.
Comments (0)
No comments yet. Be the first to comment!