The constraint on software security used to be finding vulnerabilities. That constraint has flipped.
Project Glasswing, Anthropic's collaborative effort to harden the world's most critical software before capable AI models can be weaponized against it, has produced more than ten thousand high- or critical-severity vulnerabilities in its first month. The bottleneck now is how fast the industry can verify, disclose, and ship patches.
This is a meaningful structural shift for anyone building on or maintaining open-source infrastructure.
What happened in month one
Anthropic and approximately 50 partners used Claude Mythos Preview to scan systemically important software. Most partners individually found hundreds of critical- or high-severity bugs in their own codebases. Several reported a bug-finding rate increase of more than a factor of ten compared to previous methods.
One concrete data point: Cloudflare found 2,000 bugs across their critical infrastructure, 400 of which were rated high- or critical-severity.
Because standard coordinated disclosure policy gives vendors 90 days before public vulnerability details are released (or roughly 45 days after a patch ships), Anthropic is not publishing full technical specifics yet. The numbers above are the leading edge of what will eventually be a much larger public disclosure.
Why the patching lag matters for builders
The industry's coordinated disclosure window exists to protect end users. Patches need to be deployed before details go public. But when an AI model can surface thousands of vulnerabilities in weeks rather than years, the patching pipeline becomes the critical path, not the research pipeline.
For product engineers maintaining open-source dependencies, this means two things are true simultaneously: more of your dependencies may already have patches in flight, and the window between a patch release and public exploit details is exactly as short as it has always been.
What comes next
Anthropic says it will publish much more detail about Mythos Preview's findings once patches for the discovered vulnerabilities are widely deployed. The project also signals how Anthropic is thinking about releasing Mythos-class models more broadly, though specifics on that timeline are not yet public.
What to do right now
If your stack depends on widely-used open-source software, treat the next 90 days as a high-patch-velocity period. Tighten your dependency update cadence. Watch the security advisories for projects you depend on more closely than usual. The vulnerability research has already happened. The question is whether your patching process can keep up with the disclosure schedule that follows.