The following article describes a security expert's effort to determine whether Anthropic's claim of "thousands of severe vvlnerabilies" is true. He examined the CVE registry.
Researchers Are Trying to Determine How Many Vulnerabilities Claude Mythos Has Discovered https://hackmag.com/news/mythos-cves VulnCheck specialist Patrick Garrity tried to determine how many vulnerabilities Anthropic's new AI model Claude Mythos actually discovered as part of the Project Glasswing initiative. Recall that the developers had claimed it found thousands of 0-days. ... Gerrity decided to put Anthropic's bold claims to the test and examined the CVE registry, which contains more than 327,000 entries. He searched for all records containing the word "Anthropic" starting from February 2026 and manually analyzed the results. --- On April 7th Jim Zemlin of the Linux Foundation made a statement on Project Glasswing. https://www.linuxfoundation.org/blog/project-glasswing-gives-maintainers-advanced-ai-to-secure-open-source The message is addressed primarily to "open source" developers. Zemlin understands that they suffer from limited resources and says that Project Glasswing would be a blessing because "AI" would assist arduous security-related work. He speaks of providing Claude access to "open source" developers, even going on to suggest that such access would entice people to accept maintainer roles. There are several problems. The above was posted on April 7th. A month has passed but maintainers are generally unaware of this proclamation. The Linux Foundation has not issued any further statements, indicating an absence of notable progress. There are many free software projects that maintain critical system components. Compiling a comprehensive list is a significant task. Any attempt to determine who shall be let in and who shall be kept out should lead to noisy debate, which we currently do not observe. I believe Jim Zemlin's plan to make Claude available to a large number of "open source" developers is at odds with the desires of Project Glasswing member firms. Glasswing is promoted as a small and tight group while Zemlin calls for throwing the gates wide open. Without resolving this conflict the Linux Foundation cannot make progress. Linux is the name of a kernel, and the Linux Foundation is built around kernel developers. Many people wrongly believe that "Linux" is the whole OS and do not understand that the Linux Foundation has absolutely no authority over developers of other OS components. In fact many developers are not interested in the Linux Foundation and pay scant or no attention to announcements on their official website. In contrast when ordinary people hear that the Linux Foundation is a Glasswing member, they assume that developers of the "Linux OS" would be given ample time and resources to deal with security issues. Unfortunately this is not the case. A dangerous gap between reality and perception thereof exists. --- If we want to compile a list of critical system components, where do we start? The Debian Popularity Contest may be the starting point: https://popcon.debian.org/ _______________________________________________ libreplanet-discuss mailing list [email protected] https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
