Anthropic says partners have found hundreds of vulnerabilities with Glasswing

Anthropic said in a blog post, “Last month, we launched Project Glasswing, our collaborative effort to secure the world’s most critical software before increasingly capable AI models can be turned against it. Since then, we and our approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world. Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI. In this post, we discuss what we’ve learned about this critical challenge for cybersecurity in the first weeks of Project Glasswing. We focus on the early public evidence of Mythos Preview’s performance, on the initial results of our effort to scan thousands of open-source software projects, and on what this progress means for cyberdefenders today. We also cover what to expect next from Project Glasswing, and how we’re thinking about releasing Mythos-class models in the future… Project Glasswing’s initial partners build and maintain software that is fundamental to the functioning of the internet and other essential infrastructure. Fixing flaws in their code reduces risk for the many other organizations that rely on it, and therefore reduces risk for billions of end users. After one month, most partners have each found hundreds of critical- or high-severity vulnerabilities in their software. Collectively, they’ve found more than tens thousand. Several have told us that their rate of bug-finding has increased by more than a factor of ten. For instance, Cloudflare (NET) has found 2,000 bugs (400 of which are high- or critical-severity) across their critical-path systems, with a false positive rate that Cloudflare’s team considers better than human testers… More generally, we’re now seeing that patched software is being rolled out much more quickly. The latest Palo Alto Networks (PANW) release included over five times as many patches as usual. Microsoft (MSFT) has reported that the number of new patches they’ll release will “continue trending larger for some time.” And Oracle (ORCL) is finding and fixing vulnerabilities across its products and cloud multiple times faster than before… Next, we will work with critical partners-including US and allied governments-to expand Project Glasswing to additional partners. And in the near future, once we’ve developed the far stronger safeguards we need, we look forward to making Mythos-class models available through a general release.”