Akira Urushibata on Misleading Numbers From Anthropic's Project Glasswing (False Marketing by FUD Tactics)
Posted yesterday and approved a short while ago by the libreplanet-discuss moderator:
Anthropic / Project Glasswing published a report on May 22. (I was not aware of this when I sent out my last message to this list, dated May 26.)
https://www.anthropic.com/research/glasswing-initial-update https://red.anthropic.com/2026/cvd/
I find the numbers in this report hard to digest. There are some loose ends. Notably, in the middle it gives a chart with several boxes summarizing the process, which is unfortunately inconsistent with the text.
Here is my interpretation:
Over the last several months over 1000 "open source" packages were scanned and Mythos reported 23019 problems. Mythos marked 6202 of them as high or critical severity (which implies that 16817 were medium or low severity.)
Security firms and Anthropic staff examined 1752 of the 6202 packages (which implies that 4450 were not examined by them.) Of the 1752 examined 1092 were confirmed to be positive. 1092 / 1752 = 0.623 or 62.3% By applying this ratio to 6202 packages we arrive at an estimate of 3866 problems of high or critical severity.
For 530 of the 1092 vetted vulnerabilities, notices were sent to maintainers (which implies that for 562 confirmed vulnerabilities disclosure is pending.) Of the 530 problems 75 have been patched by developers.
The numbers 1900, 1726 and 467 which appear in the summary chart do not appear in the text.
On April 7th Anthropic announced that "Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser." What is the relation between the "thousands" and the figures given above? The figures in the recent report include vulnerabilities found after April 7th and do not include problems in proprietary software.
Maintainers were informed of 530 vulnerabilities and 75 were patched. That means 455 have not been patched. What is the breakdown here? Often it takes time for maintainers to respond. But there may be cases in which the maintainers believe that the problem has been wrongly attributed. In other cases maintainers may claim that the problem has already been solved. The report gives us no information on feedback from developers.
The cURL developer was notified of 5 issues. Are these 5 a subset of the 530 confirmed vulnerabilities?
Mythos finds a curl vulnerability by Daniel Stenberg https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/
Note that this article is about cURL's encounter with the Linux Foundation while the recent report is from Anthropic.
---
The following is a message from Linus Torvalds recently posted to the Linux kernel development list:
May 17 2026 https://lwn.net/Articles/1073192/
...
Some of the documentation updates might be worth highlighting: the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools. People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion. Which is all entirely pointless churn, and we're making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports. AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work. Feel free to use them, but use them in a way that is productive and makes for a better experience. The documentation may be a bit less blunt than I am, but that's the core gist of it. So just to make it really clear: if you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by "send a random report with no real understanding" kind of person. Ok?
Linus
The Anthropic / Glasswing report does not tell us how many of the 530 problems disclosed were already known to the the developers.
---
The following blog page also discusses numbers in the Anthropic / Glasswing report. I do not agree with the interpretation of the figure 1752 found in this analysis.
Mythos Grading Mythos: Got Patches Yet? https://www.flyingpenguin.com/mythos-grading-mythos-got-patches-yet/
How much of the media merely parroted whatever Anthropic claimed about its secret data? More importantly, how much of this media got paid by Anthropic? This giant Ponzi scheme is based upon or built around plagiarism and abundance of mostly useless data. It has budge allocated to PR and devoted/reserved for "marketing" (buying positive press coverage). Always remember that!
You cannot trust their "products" (LLM slop) and their executives any more than people who tried to sell NFTs. █