BotBeat
...
← Back

> ▌

AnthropicAnthropic
INDUSTRY REPORTAnthropic2026-04-16

Mystery Surrounds Anthropic's Project Glasswing: How Many Vulnerabilities Has Mythos Really Found?

Key Takeaways

  • ▸Only one CVE can be directly tied to Project Glasswing according to independent analysis, despite claims about transformative vulnerability discovery capabilities
  • ▸40 CVEs attributed to Anthropic-affiliated researchers may include Glasswing findings, but lack definitive attribution to the program
  • ▸Anthropic claims Mythos found multiple long-standing, critical vulnerabilities in major systems, but many lack assigned CVEs and public verification
Source:
Hacker Newshttps://www.theregister.com/2026/04/15/project_glasswing_cves/↗

Summary

Anthropic's Project Glasswing, a controlled initiative allowing over 50 major tech companies to test its Claude Mythos model for vulnerability discovery, has sparked significant questions about its actual impact. The company claimed Mythos could find zero-day vulnerabilities in every major operating system and browser, prompting the controlled release rather than public availability. However, according to VulnCheck researcher Patrick Garrity's investigation of CVE databases, the actual number of confirmed Glasswing-linked discoveries remains largely opaque.

Garrity's analysis of CVE records from February onward found only 40 CVEs that could potentially be attributed to Anthropic-affiliated work, with just one remotely verifiable Glasswing discovery: CVE-2026-4747, a FreeBSD remote code execution vulnerability. The remaining 40 potential findings are spread across Firefox (28), wolfSSL (9), and other projects, but lack definitive Glasswing attribution. Anthropic has also claimed Mythos discovered previously unpatched vulnerabilities in OpenBSD and FFmpeg, though these have not yet received CVE assignments.

The opacity surrounding Project Glasswing's actual findings highlights a disconnect between Anthropic's bold claims about Mythos's capabilities and verifiable, publicly documented results. Participating companies include AWS, Apple, Google, Microsoft, and others, yet the outcomes remain largely shrouded in secrecy, raising questions about the initiative's transparency and real-world security impact.

  • The controlled release model has created significant opacity about the program's actual security impact and effectiveness

Editorial Opinion

While Anthropic's caution in controlling access to Mythos demonstrates security responsibility, the resulting opacity undermines confidence in the initiative's claimed impact. The gap between Anthropic's bold statements about revolutionary vulnerability discovery and the sparse verifiable evidence raises legitimate questions about whether Project Glasswing is delivering on its promise or functioning primarily as a public relations exercise.

Large Language Models (LLMs)CybersecurityAI Safety & Alignment

More from Anthropic

AnthropicAnthropic
PARTNERSHIP

Claude Integrates with 1Password for Secure Password Management

2026-07-16
AnthropicAnthropic
INDUSTRY REPORT

European Rare Book Dealers Warn That AI Companies Are Systematically Destroying Obscure Editions for Training Data

2026-07-16
AnthropicAnthropic
RESEARCH

PostgreSQL Rewritten in Rust Using Claude: From Four Failed Attempts to 1.8M Lines of Code

2026-07-16

Comments

Suggested

Multiple AI ProvidersMultiple AI Providers
RESEARCH

Security Research Reveals How AI Code Reviewers Can Be Tricked Into Deploying Secret-Stealing Code

2026-07-16
Thinking Machines LabThinking Machines Lab
OPEN SOURCE

Thinking Machines Lab Releases Inkling, a 975B Open-Weight MoE with Architectural Innovations

2026-07-16
Thinking Machines LabThinking Machines Lab
PRODUCT LAUNCH

Former OpenAI CTO Mira Murati Releases Inkling, a 975B-Parameter Open Weights Frontier Model

2026-07-16
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us