Anthropic's Glasswing update finds 10,000 software bugs, and a patching backlog
A month after launching Project Glasswing, Anthropic has published what its roughly 50 partners found by pointing a preview model it calls Mythos at systemically important code. Together they flagged more than 10,000 high or critical severity vulnerabilities. Cloudflare alone reported 2,000 bugs, 400 of them high or critical, with a false positive rate Anthropic says was better than human testers. Mozilla found 271 vulnerabilities in Firefox, about ten times what its earlier testing had surfaced. When outside security firms independently checked a sample of 1,752 findings, 90.6 percent held up as real.
The more interesting result is what the program could not do. Of 530 high or critical bugs disclosed in open-source projects, only 75 have been patched and 65 have public advisories. Anthropic is blunt about the shift: progress used to be limited by how fast you could find vulnerabilities, and now it is limited by how fast you can verify, disclose, and patch them. A serious bug still takes about two weeks to fix, and that human step does not scale the way scanning does.
Anthropic also says it is not releasing Mythos-class models. The UK's AI Security Institute reports Mythos was the first model to clear both of its cyber ranges end to end, and Anthropic argues no one, itself included, has safeguards strong enough to stop such a model from being misused.
Why it matters
If you maintain software, the scarce resource is no longer bug-finding, it is the people who triage and ship fixes. Plan for a flood of credible reports, and decide now how you will prioritize them, because attackers will eventually run the same scanners.