Anthropic’s Claude Mythos AI model has identified a significant number of vulnerabilities across open source software (OSS) projects. The company reported that the Mythos Preview model uncovered over 23,000 potential security issues within more than 1,000 OSS projects, highlighting a pressing concern for software security.
Extensive Vulnerability Findings
So far, external security firms have reviewed 1,900 of these vulnerabilities, confirming 1,726, with over 1,000 rated as ‘high’ or ‘critical’. Anthropic anticipates that nearly 3,900 critical and high-severity vulnerabilities will be validated based on current data. The company continues its scanning efforts, expecting the count of severe vulnerabilities to potentially reach 6,200.
More than 1,100 unverified findings have been communicated to vendors, resulting in 75 critical or high severity issues being addressed through patches. So far, vendors have issued 65 security advisories, a number that is expected to rise as the 90-day Coordinated Vulnerability Disclosure policy period progresses.
Challenges in Patch Deployment
Anthropic has highlighted challenges in the patching process, citing a slow start in deployments. The AI company mentioned that some patches might not be publicly announced, necessitating independent scanning efforts using Claude. The volume of patches has also been impacted by the pressure on the security ecosystem, which is already handling a high volume of disclosures.
In response to these challenges, Anthropic introduced Claude Security, a codebase scanner aimed at assisting developers in identifying security issues in their applications. This tool is part of the company’s broader strategy to enhance vulnerability detection and management.
Collaborations and Future Prospects
The vulnerability assessments primarily target OSS projects, with Anthropic conducting much of the scanning. Through Project Glasswing, around 50 organizations have access to the Mythos Preview, with several reporting positive outcomes. Mozilla, for example, identified 271 vulnerabilities in Firefox, while Palo Alto Networks also benefited from the model’s insights.
Although some organizations, like Google, have access to the model, it’s unclear how much Mythos has contributed to recent Chrome vulnerability discoveries. However, not all results have been positive; Mythos identified only one low-severity issue in Curl, sparking debate about the model’s effectiveness.
Anthropic is working on implementing safeguards to prevent the misuse of Mythos and plans to expand access by integrating more organizations into Project Glasswing. The company aims to make this class of AI models broadly available in the near future, enhancing the capacity for vulnerability detection across various sectors.
