"It would create chaos if released," Anthropic warned about Mythos — a claim that began as a provocation and now sits at the center of an unusual experiment in secrecy and security.
What Anthropic announced and what Project Glasswing is
Last week Anthropic declared that its latest large language model, Mythos, is so capable at finding software vulnerabilities that releasing it publicly would be dangerous. The company has responded by opening Mythos to a controlled test program called Project Glasswing. Under that program, more than 50 selected companies and organizations have been granted access to use the model to probe their own products for security holes.
What remains unknown
Despite the scope of the program, the tally of confirmed vulnerabilities discovered through Project Glasswing remains undisclosed. Like the majority of the companies participating, details about how many common vulnerabilities and exposures (CVEs) were found — and whether those findings have been reported publicly — remain a mystery. In short: Anthropic says the model can surface dangerous flaws; more than 50 entities are testing it; but the results have not been made visible.
Why the opacity matters
- Technologists: A model that reliably finds vulnerabilities could be a powerful defensive tool for software teams, but without published results it is difficult to assess efficacy or reproducibility.
- Policymakers and regulators: The decision to restrict access while enabling selected organizations to test raises questions about oversight, reporting standards for discovered flaws, and how risk is balanced against broad disclosure.
- Users and product teams: If serious bugs are being found and remediated, users benefit — but if findings are not communicated in a transparent fashion, independent verification and community mitigation may be limited.
- Adversaries: A model described as being exceptionally good at finding vulnerabilities presents dual-use concerns: the same capabilities that help defenders could, if released or reverse-engineered, aid attackers.
What to watch next
The core tension of Project Glasswing is simple: a potentially high-value security capability is being wielded in private by a cohort of selected testers, while the public tally of its impact remains unknown. That arrangement may protect against immediate misuse, but it leaves open how broadly beneficial results will be shared, how findings will be validated, and who will ultimately judge whether the model is safe for wider release.
If Anthropic's claim about Mythos is accurate, organizations and the public have a stake in understanding the scale and nature of the vulnerabilities uncovered. Will participants publish CVE counts and remediation outcomes? Will independent researchers be allowed to replicate findings? Or will the most consequential discoveries stay behind a curtain of select access?
https://go.theregister.com/feed/www.theregister.com/2026/04/15/project_glasswing_cves/
