Mystery Surrounds Anthropic's Project Glasswing: How Many Vulnerabilities Has Mythos Really Found?
Key Takeaways
- ▸Only one CVE can be directly tied to Project Glasswing according to independent analysis, despite claims about transformative vulnerability discovery capabilities
- ▸40 CVEs attributed to Anthropic-affiliated researchers may include Glasswing findings, but lack definitive attribution to the program
- ▸Anthropic claims Mythos found multiple long-standing, critical vulnerabilities in major systems, but many lack assigned CVEs and public verification
Summary
Anthropic's Project Glasswing, a controlled initiative allowing over 50 major tech companies to test its Claude Mythos model for vulnerability discovery, has sparked significant questions about its actual impact. The company claimed Mythos could find zero-day vulnerabilities in every major operating system and browser, prompting the controlled release rather than public availability. However, according to VulnCheck researcher Patrick Garrity's investigation of CVE databases, the actual number of confirmed Glasswing-linked discoveries remains largely opaque.
Garrity's analysis of CVE records from February onward found only 40 CVEs that could potentially be attributed to Anthropic-affiliated work, with just one remotely verifiable Glasswing discovery: CVE-2026-4747, a FreeBSD remote code execution vulnerability. The remaining 40 potential findings are spread across Firefox (28), wolfSSL (9), and other projects, but lack definitive Glasswing attribution. Anthropic has also claimed Mythos discovered previously unpatched vulnerabilities in OpenBSD and FFmpeg, though these have not yet received CVE assignments.
The opacity surrounding Project Glasswing's actual findings highlights a disconnect between Anthropic's bold claims about Mythos's capabilities and verifiable, publicly documented results. Participating companies include AWS, Apple, Google, Microsoft, and others, yet the outcomes remain largely shrouded in secrecy, raising questions about the initiative's transparency and real-world security impact.
- The controlled release model has created significant opacity about the program's actual security impact and effectiveness
Editorial Opinion
While Anthropic's caution in controlling access to Mythos demonstrates security responsibility, the resulting opacity undermines confidence in the initiative's claimed impact. The gap between Anthropic's bold statements about revolutionary vulnerability discovery and the sparse verifiable evidence raises legitimate questions about whether Project Glasswing is delivering on its promise or functioning primarily as a public relations exercise.
