NHS England Withdraws Public Code Over AI Vulnerability Detection Fears
Key Takeaways
- ▸NHS England reversed its open-source-first policy, requiring all code repositories private by default with public access only in 'explicit and exceptional' cases—a major policy shift after years of transparency-focused practices
- ▸The directive cites fears that Anthropic's Mythos model can identify software vulnerabilities at scale, exposing NHS infrastructure to potential exploitation by sophisticated threat actors
- ▸Security experts and transparency advocates question whether the move improves security, arguing that community code review and scrutiny actually strengthen defenses; copies of NHS code likely remain accessible elsewhere
Summary
NHS England has issued urgent guidance requiring all publicly accessible source code repositories to be made private by May 11, citing concerns that AI tools—specifically Mythos, developed by Anthropic—could identify and expose system vulnerabilities at scale. The directive marks a dramatic reversal of the organization's long-standing open-source-first policy for publicly funded software, which was intended to reduce costs, prevent duplication, and improve public trust through transparency. NHS England's internal guidance explicitly references Mythos's ability to uncover "architectural decisions, configuration detail, and contextual information" that could be exploited by malicious actors targeting critical infrastructure. The organization describes the measures as temporary and precautionary while assessing rapid AI developments; however, security experts and government researchers have questioned the move's necessity, with the AI Security Institute concluding that Mythos is primarily effective only against "small, weakly defended" systems.
- The change contradicts government open-source standards and may undermine the collaborative security model that has historically helped identify and fix vulnerabilities faster
