AI Now Finds Software Vulnerabilities Faster Than They Can Be Patched
Key Takeaways
- ▸Patching crisis: Only 75 of 530 disclosed critical/high-severity vulnerabilities have been patched, reversing the historical assumption that discovery is the bottleneck
- ▸Scale shock: 10,000+ vulnerabilities discovered across 50 partners; Cloudflare found 2,000 bugs in critical systems
- ▸Velocity mismatch: High-severity bugs take ~2 weeks to patch on average, while AI can find them in minutes
Summary
Anthropic's Project Glasswing initiative has revealed a fundamental shift in software security: AI can discover vulnerabilities far more rapidly than the industry can patch them. Testing Claude Mythos Preview, a security-grade model, with 50 partners uncovered over 10,000 high- and critical-severity vulnerabilities across systemically important software. Cloudflare alone discovered 2,000 bugs, while Mozilla found 271 vulnerabilities in Firefox—more than ten times what it detected in a previous Claude version.
The crisis lies not in discovery but in remediation. Of the first 530 critical and high-severity bugs Anthropic disclosed to maintainers, only 75 have been patched. High-severity vulnerabilities take approximately two weeks to patch on average, and open-source maintainers have requested that Anthropic slow its disclosure rate because they're overwhelmed. This creates a dangerous asymmetry: vulnerabilities are known and exploitable, but fixes remain unavailable.
This reverses thirty years of security doctrine. Vulnerability discovery was long the bottleneck; everything downstream—triage, disclosure, patching—had time to keep up. Now verification, reproduction, and patching are the scarce resources, while AI can generate vulnerability reports faster than humans can process them. The constraint on software security has moved from finding bugs to fixing them.
The implications extend across the industry. Anthropic warns that Mythos-class models will soon be available from multiple labs, and every organization adopting such capabilities will face operational overwhelm across disclosure workflows, triage, and quality control. The result is a quantified, dangerous gap in the vulnerability window—from discovery to patch availability.
- Open-source maintainers are requesting disclosure slowdowns due to overwhelming bug report volumes from AI tools
Editorial Opinion
The Glasswing results crystallize a strategic inflection point in cybersecurity: AI has made vulnerability discovery abundant while leaving remediation scarce. The 75/530 patch rate is alarming not because it reflects negligence but because it reflects the hard limits of human engineering velocity. This reshapes the entire economics of software security—the industry must either dramatically accelerate patching processes or accept that zero-day windows will grow wider than any point in the past three decades.
