10,000 Critical Vulnerabilities: Anthropic Reports Initial Results of Project Glasswing

Anthropic has released its first report on Project Glasswing, a vulnerability detection program utilizing the Claude Mythos model.

In just one month, around 50 partners identified over 10,000 high and critical security issues. The company noted that the bottleneck was not the speed of detection, but rather the verification and release of patches.

The neural network scanned more than 1,000 open-source projects and discovered 23,019 vulnerabilities across all levels. Of these, 6,202 were initially classified as "high" or "critical". Upon further verification, 90.6% of the findings were confirmed, including 62.4% that required urgent intervention.

A dashboard displaying vulnerabilities in open-source software. This shows issues of all severity levels, not just those rated as "high" or "critical". Source: Anthropic.

The company disclosed 530 significant bugs to developers, with another 827 set to be published. A total of 75 have been fixed, and recommendations have been issued for 65. On average, it takes about two weeks to close a serious vulnerability.

Among the public cases is a vulnerability in the wolfSSL library (CVE-2026-5194). According to the company, the model was able to construct an attack to forge certificates.

Mozilla reported fixing 271 bugs in Firefox 150 after testing with Mythos. Cloudflare identified around 2,000 vulnerabilities, including 400 classified as "high" and "critical".

Anthropic stated that it does not plan to publicly release the model until stronger protective mechanisms are in place and intends to expand Project Glasswing, including collaboration with the U.S. government and allies.

Recall that in April, the firm decided against making Mythos publicly available due to high security risks.

The neural network is also utilized by the U.S. National Security Agency.