Project Glasswing: a 12-company push to fix critical bugs before attackers do

Project Glasswing is a coalition aimed at using AI to find and fix vulnerabilities in critical software before attackers exploit them. The founding group is unusually broad: 12 members including AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus more than 40 other organizations that run critical infrastructure.

The technical claim is the striking part. It centers on Claude Mythos Preview, an unreleased Anthropic model, which the announcement says can already surpass all but the most skilled humans at finding and exploiting vulnerabilities. It points to concrete finds: a 27-year-old flaw in OpenBSD, a 16-year-old bug in FFmpeg that automated tools had missed, and chained vulnerabilities in the Linux kernel. Anthropic is committing $100 million in model usage credits and $4 million in direct donations to open-source security groups. Read the announcement on Anthropic's site.

Why it matters

If you maintain or depend on open-source infrastructure, this cuts both ways and that is the point. The same capability that finds a 27-year-old OpenBSD flaw for defenders also exists for attackers, so the race is now about who runs it first, which is exactly why the funding goes to open-source security.