securityweek.com via Reddit

Anthropic Mythos: 23,000 Bugs Found, Only 75 Patched

anthropic cybersecurity ai-security cybersecurity

Key insights

  • Anthropic added roughly 150 organizations to Project Glasswing, raising total partners to around 200 across more than 15 countries.
  • Claude Mythos identified more than 23,000 potential vulnerabilities, with more than 6,000 expected to be confirmed as severe flaws.
  • Despite more than 23,000 flagged vulnerabilities, only 75 critical and high-severity issues have been patched, exposing a deep remediation lag.

Why this matters

AI-powered vulnerability scanning has outpaced human capacity to verify and remediate findings, creating a dangerous backlog where more than 23,000 flagged flaws have produced only 75 patches. The inclusion of NATO, ENISA, Samsung, and Okta signals that AI security tooling has shifted from experimental to operational for the most critical global infrastructure. The remediation bottleneck, not the detection capability, is now the defining constraint for AI-assisted security at scale.

Summary

Anthropic is adding roughly 150 organizations to Project Glasswing, raising Claude Mythos Preview's partner count to around 200 across more than 15 countries. New participants include Okta, Samsung, NATO, and ENISA (per Financial Times reporting), joining earlier partners like Mozilla, Palo Alto Networks, and Cloudflare. The selection threshold: systems whose breach could affect more than 100 million people, with national and global security implications. Essentially: (Anthropic, NATO, Samsung, ENISA) running an AI-powered security sweep of critical global infrastructure. - Mythos has flagged more than 23,000 potential vulnerabilities since the program launched with around 50 partners in early April. - More than 6,000 of those are expected to be confirmed as severe flaws. - Only 75 critical and high-severity issues have been patched so far. Anthropicis now working to substantially scale up reviewing and patching of open-source vulnerabilities, but detection has clearly outpaced remediation.

Potential risks and opportunities

Risks

  • The more than 6,000 expected severe vulnerabilities in widely used codebases represent an active exposure window if threat actors independently discover the same flaws before patches are ready.
  • Okta and Samsung face reputational and customer-trust exposure if vulnerabilities found by Mythos become public before patches are deployed, given their prominence in the named partner list.
  • Anthropic's expanding access to codebases for NATO and ENISA partners makes the Mythos platform itself a high-value target for nation-state espionage or interference.

Opportunities

  • Vulnerability triage and management vendors (Snyk, Veracode, Tenable) are positioned to capture budget from organizations overwhelmed by the volume of findings Mythos is generating.
  • Critical infrastructure vendors with demonstrably fast patch cycles can use Project Glasswing participation as a differentiator when bidding on government and defense contracts.
  • Anthropic gains proprietary insight into real-world vulnerability patterns across critical infrastructure codebases, strengthening Claude Mythos as a commercial security product beyond the current program.

What we don't know yet

  • No timeline or methodology disclosed for how Anthropic and partners plan to triage and close the gap between more than 23,000 flagged vulnerabilities and only 75 patches.
  • Whether NATO and ENISA's participation grants Anthropic access to sensitive or classified infrastructure codebases, and how that data is governed and retained.
  • Which specific open-source projects scanned by Mythos carry the most critical unpatched flaws, and whether affected maintainers have been formally notified ahead of any disclosure.

Originally reported by securityweek.com

Read the original article →

Original headline: Anthropic Expands Project Glasswing to 200 Total Organizations in 15+ Countries — Partners Have Found 23,000 Potential Vulnerabilities in 1,000 Open-Source Projects, Only 75 Patched