The Inverse Security Paradox: Anthropic Found 6,202 Vulnerabilities and the Ecosystem Cannot Patch Them

Anthropic filed its IPO papers on June 1. The following day, it announced it was expanding Claude Mythos — the AI model its own researchers have described as the first capable of reliably finding and exploiting software vulnerabilities — to 202 partner organizations, up from roughly 50. The timing is not incidental: Anthropic is widening access to its most dangerous model before the existing backlog of vulnerabilities the program has identified is anywhere near cleared.

Claude Mythos is now available through Project Glasswing to four times as many organizations as it was a day earlier, according to Reuters. During internal testing, Mythos Preview identified vulnerabilities across every major operating system and browser. Cloudflare found 2,000 bugs across its critical-path systems, 400 of them high or critical severity, according to Anthropic's Glasswing initial update. Mozilla discovered 271 vulnerabilities in Firefox 150 while testing Mythos Preview, more than ten times what it found in Firefox 148 using the previous model. A third party reviewed a sample of 1,752 high- or critical-rated vulnerabilities and validated that 91 percent were true positives. Anthropic's Glasswing initiative has identified more than 6,200 high-severity open-source vulnerabilities since launch, and over 99 percent of them remain open, according to the company's May blog post. Forbes confirmed on May 29 that Mythos was headed for wider release before the existing backlog was anywhere near cleared.

The UK AI Security Institute, which runs one of the few government-run cyber evaluation ranges for frontier AI models, confirmed that Mythos Preview is the first model to solve both of its ranges end to end. In its more difficult 32-step TLO range, Mythos completed the attack from start to finish in 3 out of 10 attempts, averaging 22 out of 32 steps completed. The agency's broader tracking suggests the window between a vulnerability being discovered and an adversary being able to exploit it is now doubling every 4.7 months — a pace that suggests the gap between AI-assisted discovery and human-paced remediation is widening faster than most organizations realize. The White House has already intervened once, pushing back against a proposed expansion from 50 to 120 organizations — what analysts described as the first known case of the US government restricting a frontier AI model rollout.

Open-source maintainers — many of them working part-time or as volunteers — have already described being overwhelmed by the volume of automated vulnerability disclosures that programs like Glasswing generate. Daniel Stenberg, the lead maintainer of curl, has noted publicly that the tooling that finds bugs faster than humans can fix them also outpaces the capacity of small teams to respond to each disclosure at the pace AI can generate them. The curl project alone fields hundreds of such reports annually; multiply that across the thousands of libraries in a typical production software stack and the scope of the coordination problem becomes clear.

For a typical software company, this flows through the supply chain in a predictable way. A development team ships a product built on dozens of open-source libraries. One of those libraries — maintained by a volunteer somewhere — has a vulnerability that Mythos just found. The volunteer gets an automated disclosure email. They work on it in their spare time. Meanwhile, the company shipping the product has no visibility into which of their dependencies have been flagged, no faster path to patching than the normal update cycle, and no leverage over the maintainer's timeline. The Log4j incident of 2021 — where a single open-source logging library's vulnerability forced hundreds of companies to scramble patches under emergency conditions — is the recent historical reference point for exactly this dynamic. Google Project Zero's tracking of CVE remediation timelines found that the median time to patch a critical vulnerability in the wild still runs 30 to 60 days for most organizations. Mythos is generating vulnerability candidates at a pace those timelines cannot absorb.

The Glasswing expansion will bring the scanning capability to more organizations. What it will not immediately change is the remediation bottleneck — the human and institutional limit that determines whether a found vulnerability becomes a fixed one or an exploitable one in production.

What to watch: whether any of the newly expanded Glasswing partner cohort publishes data on what share of found vulnerabilities actually got patched within 30, 60, or 90 days. If the answer is under 5 percent, the paradox is not a framing problem. It is the story — and every company that ships software built on open-source dependencies needs to ask whether they have any line of sight into their own exposure.