[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-project-glasswing-ai-software-bugs-en":3,"tags-project-glasswing-ai-software-bugs-en":30,"related-lang-project-glasswing-ai-software-bugs-en":41,"related-posts-project-glasswing-ai-software-bugs-en":45,"series-industry-f00e0143-9afd-4708-831d-e32365ac0157":82},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":29,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":20},"f00e0143-9afd-4708-831d-e32365ac0157","Project Glasswing puts AI to work on software bugs","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fglasswing\" target=\"_blank\" rel=\"noopener\">Anthropic\u003C\u002Fa> says its new \u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\" target=\"_blank\" rel=\"noopener\">Project Glasswing\u003C\u002Fa> brings together 12 major partners, more than 40 additional organizations, and up to $100M in usage credits to hunt software flaws with AI. That is a big number, but the more interesting one is this: the company says its unreleased \u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fnews\u002Fclaude-mythos-preview\" target=\"_blank\" rel=\"noopener\">Claude Mythos Preview\u003C\u002Fa> model has already found thousands of high-severity vulnerabilities across major operating systems and browsers.\u003C\u002Fp>\u003Cp>This is one of those announcements that sounds abstract until you read the examples. A 27-year-old bug in OpenBSD, a 16-year-old flaw in FFmpeg, and a multi-step Linux kernel escalation were all found by the model, then patched after disclosure. If those claims hold up under outside scrutiny, the message is simple: AI is now good enough to help break critical software at scale, which means defenders need to move faster than they ever have.\u003C\u002Fp>\u003Ch2>What Project Glasswing actually is\u003C\u002Fh2>\u003Cp>Glasswing is Anthropic’s attempt to turn frontier-model cyber skills into a defensive program instead of a weapons race. The launch group includes \u003Ca href=\"https:\u002F\u002Faws.amazon.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.apple.com\" target=\"_blank\" rel=\"noopener\">Apple\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.broadcom.com\" target=\"_blank\" rel=\"noopener\">Broadcom\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.cisco.com\" target=\"_blank\" rel=\"noopener\">Cisco\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.crowdstrike.com\" target=\"_blank\" rel=\"noopener\">CrowdStrike\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fcloud.google.com\" target=\"_blank\" rel=\"noopener\">Google\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.jpmorganchase.com\" target=\"_blank\" rel=\"noopener\">JPMorganChase\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.linuxfoundation.org\" target=\"_blank\" rel=\"noopener\">the Linux Foundation\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\" target=\"_blank\" rel=\"noopener\">Microsoft\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.nvidia.com\" target=\"_blank\" rel=\"noopener\">NVIDIA\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Fwww.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693401406-mvxu.png\" alt=\"Project Glasswing puts AI to work on software bugs\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>Anthropic says these partners will use \u003Ca href=\"\u002Fnews\u002Fanthropic-claude-mythos-preview-meaning-en\">Mythos Preview\u003C\u002Fa> in defensive security work and share what they learn. The company also opened access to more than 40 other organizations that build or maintain critical infrastructure software, so they can scan first-party code and open-source projects. The funding piece matters too: Anthropic is putting up to $100M in usage credits behind the effort, plus $4M in direct donations to open-source security groups.\u003C\u002Fp>\u003Cul>\u003Cli>12 launch partners joined on day one\u003C\u002Fli>\u003Cli>40+ additional organizations got access for defensive work\u003C\u002Fli>\u003Cli>$100M in model usage credits is reserved for the program\u003C\u002Fli>\u003Cli>$4M goes directly to open-source security organizations\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That mix tells you what Anthropic is betting on. This is not a demo or a one-off red-team stunt. It is an attempt to make AI part of the normal security workflow for companies that run operating systems, browsers, cloud infrastructure, and the open-source libraries behind them.\u003C\u002Fp>\u003Ch2>Why the timing matters\u003C\u002Fh2>\u003Cp>Anthropic’s core warning is that the cost of finding and exploiting software bugs has dropped. That matters because software bugs are everywhere, and the ones that survive for years are often the hardest to spot. If a model can inspect code, reason through edge cases, and generate exploit paths without much human steering, then defenders gain speed, but attackers do too.\u003C\u002Fp>\u003Cp>The company puts the global annual cost of cybercrime at around $500B. That number is always messy, but it gives a sense of scale. A single flaw in a browser, kernel, or media library can cascade across millions of machines. In Anthropic’s telling, AI has moved from helping with code review to something closer to autonomous vulnerability research.\u003C\u002Fp>\u003Cblockquote>“The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI.” — Elia Zaitsev, Chief Technology Officer, CrowdStrike\u003C\u002Fblockquote>\u003Cp>That quote is useful because it captures the operational problem better than the marketing copy does. Security teams are no longer just racing against human attackers. They are racing against automated systems that can inspect huge codebases much faster than a human team can.\u003C\u002Fp>\u003Cp>Anthropic also says Mythos Preview found vulnerabilities that had survived decades of human review and millions of automated tests. If that is accurate, it suggests current tooling misses entire classes of bugs, especially in mature codebases that everyone assumes are already well understood.\u003C\u002Fp>\u003Ch2>The numbers behind the claim\u003C\u002Fh2>\u003Cp>Anthropic shared a benchmark comparison that gives some shape to the performance gap. On CyberGym, a vulnerability reproduction benchmark, Mythos Preview scored 83.1%, while \u003Ca href=\"\u002Fnews\u002Fclaude-opus-45-gpt-parameters-estimate-en\">Claude Opus\u003C\u002Fa> 4.6 scored 66.6%. That is a large spread for a task where small gains can mean the difference between a missed bug and a patched one.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693400847-m3vw.png\" alt=\"Project Glasswing puts AI to work on software bugs\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>The company also says the model identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. It did not disclose all of them yet, but it did publish technical details for a subset that have already been fixed. In several cases, the model also generated related exploits without human direction.\u003C\u002Fp>\u003Cul>\u003Cli>CyberGym: 83.1% for Mythos Preview vs 66.6% for Opus 4.6\u003C\u002Fli>\u003Cli>Thousands of zero-days were found across major operating systems and browsers\u003C\u002Fli>\u003Cli>OpenBSD bug: 27 years old, could remotely crash a machine\u003C\u002Fli>\u003Cli>FFmpeg bug: 16 years old, missed by tests run 5 million times\u003C\u002Fli>\u003Cli>Linux kernel chain: moved from user access to full machine control\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Those examples matter because they cover different kinds of software failure. OpenBSD shows that even security-focused systems can hide old bugs. FFmpeg shows that automated testing is still blind to some defects. The Linux kernel example shows how multiple small issues can combine into a serious compromise.\u003C\u002Fp>\u003Cp>Anthropic says it reported the bugs to maintainers and that they are now patched. For other flaws, the company is only publishing cryptographic hashes for now, with details to follow after fixes land. That is the right call if the goal is defense first, because it reduces the chance that the same findings get reused before patches ship.\u003C\u002Fp>\u003Ch2>How this compares with the rest of the field\u003C\u002Fh2>\u003Cp>Glasswing also reveals how quickly the AI security market is splitting into two tracks: tools that help defenders write better code, and tools that can independently discover flaws. Anthropic is clearly aiming at the second track. That puts it in a different category from general coding assistants such as \u003Ca href=\"https:\u002F\u002Fopenai.com\" target=\"_blank\" rel=\"noopener\">OpenAI\u003C\u002Fa>’s \u003Ca href=\"https:\u002F\u002Fopenai.com\u002Findex\u002Fintroducing-codex\u002F\" target=\"_blank\" rel=\"noopener\">Codex\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\" target=\"_blank\" rel=\"noopener\">GitHub Copilot\u003C\u002Fa>, which are useful for productivity but are not being marketed as autonomous vulnerability hunters.\u003C\u002Fp>\u003Cp>It also puts pressure on the security vendors in the room. \u003Ca href=\"https:\u002F\u002Fwww.crowdstrike.com\" target=\"_blank\" rel=\"noopener\">CrowdStrike\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\" target=\"_blank\" rel=\"noopener\">Microsoft\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Fwww.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks\u003C\u002Fa> are all part of the effort, which suggests the big players think the model is good enough to be worth testing in real workflows. That is a stronger signal than a lab benchmark alone.\u003C\u002Fp>\u003Cul>\u003Cli>Anthropic is pitching autonomous bug discovery, not just code suggestions\u003C\u002Fli>\u003Cli>GitHub Copilot targets developer productivity, not vulnerability research\u003C\u002Fli>\u003Cli>Microsoft says Mythos Preview improved on its CTI-REALM benchmark\u003C\u002Fli>\u003Cli>The Linux Foundation is involved because open source carries much of modern infrastructure\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Jim Zemlin of the Linux Foundation put the open-source angle plainly: “By giving the maintainers of these critical open source codebases access to a new generation of AI models that can proactively identify and fix vulnerabilities at scale, Project Glasswing offers a credible path to changing that equation.” That is the key practical point. Most critical software is maintained by small teams, often with limited time and budget, and AI can help fill that gap if the output is accurate enough.\u003C\u002Fp>\u003Ch2>What to watch next\u003C\u002Fh2>\u003Cp>Glasswing is important because it turns a scary capability into a coordinated defensive program, but the real test is whether the disclosures lead to fewer shipped bugs, faster patch cycles, and better secure-by-default code in the systems we all depend on. The next few months should show whether the model’s findings are repeatable by outside teams and whether partners can fold the results into everyday security operations.\u003C\u002Fp>\u003Cp>My guess: the biggest near-term impact will not be dramatic new attack chains. It will be a steady increase in patch volume for old, embarrassing bugs that have lived in mature code for years. If Anthropic’s numbers keep holding up, the question for every infrastructure team becomes simple: do you want to wait until AI finds your worst bugs first, or do you want the model pointed at your code before attackers get there?\u003C\u002Fp>\u003C\u002Fcontent>","Anthropic’s Project Glasswing gives 40+ groups access to Claude Mythos Preview after it found thousands of zero-days across major systems.","www.anthropic.com","https:\u002F\u002Fwww.anthropic.com\u002Fglasswing",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693401406-mvxu.png",[13,14,15,16,17],"Anthropic","Project Glasswing","Claude Mythos Preview","software security","zero-day vulnerabilities","en",0,false,"2026-04-09T00:09:45.698445+00:00","2026-04-09T00:09:45.505+00:00","done","321c0ca8-5c60-4740-8ee5-c8f478967ff1","project-glasswing-ai-software-bugs-en","industry","8ff05ee3-542c-4a90-af18-875d1b009a5b","published","2026-04-09T09:00:49.465+00:00",[31,33,35,37,39],{"name":15,"slug":32},"claude-mythos-preview",{"name":13,"slug":34},"anthropic",{"name":14,"slug":36},"project-glasswing",{"name":16,"slug":38},"software-security",{"name":17,"slug":40},"zero-day-vulnerabilities",{"id":27,"slug":42,"title":43,"language":44},"project-glasswing-ai-software-bugs-zh","Project Glasswing 讓 AI 專抓軟體漏洞","zh",[46,52,58,64,70,76],{"id":47,"slug":48,"title":49,"cover_image":50,"image_url":50,"created_at":51,"category":26},"6ff3920d-c8ea-4cf3-8543-9cf9efc3fe36","circles-agent-stack-targets-machine-speed-payments-en","Circle’s Agent Stack targets machine-speed payments","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871659638-hur1.png","2026-05-15T19:00:44.756112+00:00",{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":26},"1270e2f4-6f3b-4772-9075-87c54b07a8d1","iren-signs-nvidia-ai-infrastructure-pact-en","IREN signs Nvidia AI infrastructure pact","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871059665-3vhi.png","2026-05-15T18:50:38.162691+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":26},"b308c85e-ee9c-4de6-b702-dfad6d8da36f","circle-agent-stack-ai-payments-en","Circle launches Agent Stack for AI payments","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778870450891-zv1j.png","2026-05-15T18:40:31.462625+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":26},"f7028083-46ba-493b-a3db-dd6616a8c21f","why-nebius-ai-pivot-is-more-real-than-hype-en","Why Nebius’s AI Pivot Is More Real Than Hype","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778823055711-tbfv.png","2026-05-15T05:30:26.829489+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":26},"b63692ed-db6a-4dbd-b771-e1babdc94af7","nvidia-backs-corning-factories-with-billions-en","Nvidia backs Corning factories with billions","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778822444685-tvx6.png","2026-05-15T05:20:28.914908+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":26},"26ab4480-2476-4ec7-b43a-5d46def6487e","why-anthropic-gates-foundation-ai-public-goods-en","Why Anthropic and the Gates Foundation should fund AI public goods","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778796645685-wbw0.png","2026-05-14T22:10:22.60302+00:00",[83,88,93,98,103,108,113,118,123,128],{"id":84,"slug":85,"title":86,"created_at":87},"d35a1bd9-e709-412e-a2df-392df1dc572a","ai-impact-2026-developments-market-en","AI's Impact in 2026: Key Developments and Market Shifts","2026-03-25T16:20:33.205823+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"5ed27921-5fd6-492e-8c59-78393bf37710","trumps-ai-legislative-framework-en","Trump's AI Legislative Framework: What's Inside?","2026-03-25T16:22:20.005325+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"e454a642-f03c-4794-b185-5f651aebbaca","nvidia-gtc-2026-key-highlights-innovations-en","NVIDIA GTC 2026: Key Highlights and Innovations","2026-03-25T16:22:47.882615+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"0ebb5b16-774a-4922-945d-5f2ce1df5a6d","claude-usage-diversifies-learning-curves-en","Claude Usage Diversifies, Learning Curves Emerge","2026-03-25T16:25:50.770376+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"69934e86-2fc5-4280-8223-7b917a48ace8","openclaw-ai-commoditization-concerns-en","OpenClaw's Rise Raises Concerns of AI Model Commoditization","2026-03-25T16:26:30.582047+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"b4b2575b-2ac8-46b2-b90e-ab1d7c060797","google-gemini-ai-rollout-2026-en","Google's Gemini AI Rollout Extended to 2026","2026-03-25T16:28:14.808842+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"6e18bc65-42ae-4ad0-b564-67d7f66b979e","meta-llama4-fabricated-results-scandal-en","Meta's Llama 4 Scandal: Fabricated AI Test Results Unveiled","2026-03-25T16:29:15.482836+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"bf888e9d-08be-4f47-996c-7b24b5ab3500","accenture-mistral-ai-deployment-en","Accenture and Mistral AI Team Up for AI Deployment","2026-03-25T16:31:01.894655+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"5382b536-fad2-49c6-ac85-9eb2bae49f35","mistral-ai-high-stakes-2026-en","Mistral AI: Facing High Stakes in 2026","2026-03-25T16:31:39.941974+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"9da3d2d6-b669-4971-ba1d-17fdb3548ed5","cursors-meteoric-rise-pressures-en","Cursor's Meteoric Rise Faces Industry Pressures","2026-03-25T16:32:21.899217+00:00"]