A leading AI research organization, Anthropic, has announced plans to eventually release models capable of matching the performance of its advanced bug-finding artificial intelligence, Mythos, to the public. However, this release will only happen once the company establishes strong safety protocols to prevent misuse.
Since its announcement in early April, Mythos has been available exclusively to a select group of users through a program called “Project Glasswing.” The decision to limit access stems from concerns that unrestricted availability could enable cybercriminals to exploit the vulnerabilities it identifies within software code. Participants in this program report that while Mythos is effective at uncovering security vulnerabilities, the sheer volume of bugs it finds can be overwhelming, often presenting more challenges than they can address.
The unveiling of Mythos has initiated an urgent response from governments around the world. For instance, Japanese authorities have initiated a comprehensive security review, while Indian regulators have called for an immediate effort to address vulnerabilities within financial institutions. This growing awareness highlights that even less sophisticated AI tools possess the capability to detect bugs, raising alarms about the potential for attackers to leverage these flaws more frequently.
In a recent update regarding Project Glasswing, Anthropic acknowledged that no organization, including itself, has established enough safeguards to prevent the potential misuse of models like Mythos. The company indicated that its next steps involve collaborating with critical partners, specifically the US and allied governments, to widen the access of Project Glasswing to additional participants. Although Anthropic expressed hope for a general release of Mythos-class models in the near future, it refrained from providing a specific timeline.
The scale of vulnerabilities identified by Mythos is significant. The AI has been utilized to scan over 1,000 open-source projects that are crucial to internet infrastructure, revealing an estimated 6,202 high or critical vulnerabilities, along with a total of 23,019 flaws. Anthropic has a rigorous process for validating these findings: once a vulnerability is flagged, the company and its collaborators reproduce the issue to reassess its severity and confirm its validity. As of now, 1,752 high or critical vulnerabilities identified by Mythos have undergone this validation process, with a commendable success rate—90.6% of these were confirmed as genuine flaws.
One particularly alarming vulnerability affected the wolfSSL cryptography library, which serves billions of devices globally. Anthropic noted that Mythos was able to construct an exploit that could enable attackers to forge certificates, allowing them to create counterfeit websites resembling legitimate banking or email services. Fortunately, developers have since patched this vulnerability, and a detailed technical analysis is forthcoming.
The impact of Mythos on the security landscape has been substantial, but it also adds strain to an already overwhelmed security ecosystem. As of the latest reports, only 75 out of 530 high- or critical-severity vulnerabilities flagged have been patched, with more fixes expected to follow. Anthropic suggests that the increasing burden on security teams could be alleviated through the application of AI, including leveraging its own Claude model, which aims to enhance developers’ efficiency in addressing vulnerabilities.
In summary, while Anthropic’s Mythos promises to revolutionize vulnerability detection, its current limitations and the potential for misuse demand careful consideration and rigorous safety measures before any broader public release.
