On May 11th Daniel Stenberg, lead developer of cURL wrote in his blog
about his encounter with Linux Foundation people offering Claude Mythos
access.  This is the person who had complained last year about the
sharp increase of "slop" generated bug reports exhausting maintainers.

Mythos finds a curl vulnerability
by Daniel Stenberg
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

The section after the introduction is titled "My (non-)access".

As I wrote in a previous message, Linux Foundation faces a dilemma:

  I believe Jim Zemlin's plan to make Claude available to a large
  number of "open source" developers is at odds with the desires of
  Project Glasswing member firms.  Glasswing is promoted as a small
  and tight group while Zemlin calls for throwing the gates wide open.

Apparently the Linux Foundation made a compromise.  They decided that
they could not give "open source" developers direct access to Claude
Mythos.  They let someone else conduct the actual examination and sent
Daniel Stenberg the results.

Five issues were reported.  Stenberg identifies two bugs.  One affects
security, but he does not consider it severe.

We don't know what would have happened had the inspection turned up
no defects.  Would they have sent a report explicitly stating that the
slate was clean, or not?

Will the Linux Foundation produce a summary of its findings at some
point?


Death by a Thousand Slops
https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

Alpha Omega (Linux Foundation project, handles security issues)
https://openssf.org/community/alpha-omega/

---

Nowadays Anthropic's Claude Mythos is discussed quite frequently in
the mainstream media.  Politicians and finance heads see it as a
genuine threat and are ordering strengthening of defenses.  Responding
to a request by by the Japanese government, Anthropic will allow the
three largest Japanese banks access to Mythos.

Developers who actually deal with security issues generally see
the media attention overblown.  Daniel Stenberg takes this position.


However I would like to point out that it may well be that Mythos
found few problems in cURL because few existed.  cURL is well
maintained.  On the other end of the spectrum there likely exist
programs with scores or even hundreds of problems.  They may be owned
and maintained by for-profit firms which are reluctant to disclose
information about shortcomings fearing damage to reputation.  So it
may be true that Claude Mythos discovered thousands of serious
vulnerabilities.

_______________________________________________
libreplanet-discuss mailing list
[email protected]
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Reply via email to