Anthropic / Project Glasswing published a report on May 22.  (I was
not aware of this when I sent out my last message to this list, dated
May 26.)

https://www.anthropic.com/research/glasswing-initial-update
https://red.anthropic.com/2026/cvd/

I find the numbers in this report hard to digest.  There are some
loose ends.  Notably, in the middle it gives a chart with several
boxes summarizing the process, which is unfortunately inconsistent
with the text.

Here is my interpretation:

  Over the last several months over 1000 "open source" packages were
  scanned and Mythos reported 23019 problems.  Mythos marked 6202 of
  them as high or critical severity (which implies that 16817 were
  medium or low severity.)

  Security firms and Anthropic staff examined 1752 of the 6202 packages
  (which implies that 4450 were not examined by them.)  Of the 1752
  examined 1092 were confirmed to be positive.  1092 / 1752 = 0.623 or
  62.3%  By applying this ratio to 6202 packages we arrive at an
  estimate of 3866 problems of high or critical severity.

  For 530 of the 1092 vetted vulnerabilities, notices were sent to
  maintainers (which implies that for 562 confirmed vulnerabilities
  disclosure is pending.)  Of the 530 problems 75 have been patched
  by developers.

The numbers 1900, 1726 and 467 which appear in the summary chart do
not appear in the text.

On April 7th Anthropic announced that "Mythos Preview has already
found thousands of high-severity vulnerabilities, including some in
every major operating system and web browser."  What is the relation
between the "thousands" and the figures given above?  The figures in
the recent report include vulnerabilities found after April 7th
and do not include problems in proprietary software.

Maintainers were informed of 530 vulnerabilities and 75 were patched.
That means 455 have not been patched.  What is the breakdown here?
Often it takes time for maintainers to respond.  But there may be
cases in which the maintainers believe that the problem has been
wrongly attributed.  In other cases maintainers may claim that the
problem has already been solved.  The report gives us no information
on feedback from developers.

The cURL developer was notified of 5 issues.  Are these 5 a subset of
the 530 confirmed vulnerabilities?

 Mythos finds a curl vulnerability
 by Daniel Stenberg
 https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Note that this article is about cURL's encounter with the Linux Foundation
while the recent report is from Anthropic.

---

The following is a message from Linus Torvalds recently posted to
the Linux kernel development list:

May 17 2026
https://lwn.net/Articles/1073192/

  ...

  Some of the documentation updates might be worth highlighting: the
  continued flood of AI reports has basically made the security list
  almost entirely unmanageable, with enormous duplication due to
  different people finding the same things with the same tools. People
  spend all their time just forwarding things to the right people or
  saying "that was already fixed a week/month ago" and pointing to the
  public discussion.
  
  Which is all entirely pointless churn, and we're making it clear
  that AI detected bugs are pretty much by definition not secret, and
  treating them on some private list is a waste of time for everybody
  involved - and only makes that duplication worse because the
  reporters can't even see each other's reports.
  
  AI tools are great, but only if they actually help, rather than
  cause unnecessary pain and pointless make-believe work. Feel free to
  use them, but use them in a way that is productive and makes for a
  better experience.
  
  The documentation may be a bit less blunt than I am, but that's the
  core gist of it. So just to make it really clear: if you found a bug
  using AI tools, the chances are somebody else found it too. If you
  actually want to add value, read the documentation, create a patch
  too, and add some real value on *top* of what the AI did. Don't be
  the drive-by "send a random report with no real understanding" kind
  of person. Ok?

                Linus

The Anthropic / Glasswing report does not tell us how many of the 530
problems disclosed were already known to the the developers.

---

The following blog page also discusses numbers in the Anthropic /
Glasswing report.  I do not agree with the interpretation of the
figure 1752 found in this analysis.

Mythos Grading Mythos: Got Patches Yet?
https://www.flyingpenguin.com/mythos-grading-mythos-got-patches-yet/

_______________________________________________
libreplanet-discuss mailing list
[email protected]
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Reply via email to