[Перевод] Как Mozilla нашли 271 уязвимость в Firefox с помощью Claude Mythos

Две недели назад мы объявили , что с помощью Claude Mythos Preview и других AI-моделей нашли и исправили рекордное количество скрытых уязвимостей в Firefox. В этой статье подробности о подходе, результатах и советы для других проектов, которые хотят применять эти техники.

https://habr.com/ru/articles/1033116/

#Firefox_безопасность #Claude_Mythos_Preview #AI_аудит_кода #sandbox_escape #уязвимости_браузера #агентный_харнесс #LLM_поиск_багов #Mozilla_security #useafterfree #фаззинг

Am kommenden Freitag laden wir wieder ein zum monatlichen offenen Stammtisch. Dieses Mal habt ihr euch Claude Mythos als Thema gewünscht – und wie man seine Computer in der aktuellen Lage sicher hält. Wir als Verein, der sich für quell-offene Betriebssysteme einsetzt, haben dazu natürlich einiges zu sagen. Du auch? Dann komm dazu zum Snacken und Schnacken am Freitag, 8. Mai, wie immer ab 19:30 Uhr in der Sofa-Ecke im @netz39 !

#Stammtisch #claude_mythos_preview #security #linux #copyfail

Vor drei Wochen hat Anthropic das KI-Modell Mythos und das Projekt Glasswing vorgestellt. Ich hab das ein bisschen verfolgt und ... das verfolgt mich auch in den Abendstunden. Und das fühlt sich nicht gut an. Meine Gedanken dazu hab ich gstern Abend aus meiner Perspektive nieder geschrieben:

https://toheine.net/posts/2026/realitaet-trifft-mythos

Da ist nichts Neues drin, was nicht schon geschrieben wurde. Aber ich bin total interessiert daran, wie man damit in Zukunft umgehen wird, was das für mittelgroße Serverumgebungen bedeutet und wie die Prozesse für resiliente Umgebungen angepasst werden müssen. Falls mir also jemand sagen will, dass ich was falsch vestanden hab, oder dass der Maßnahmen-Katalog X die Lösung ist, freue ich mich über Rückmeldungen.

#claude_mythos_preview

about https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/

Here's a one-page version of the above article for an IT person:

**The gist: Anthropic hyped a new AI model called "Claude Mythos Preview" as an unprecedented cybersecurity threat — and the author argues the technical evidence simply doesn't back up the headlines.**

**What Anthropic claimed:**
- Mythos discovered *thousands* of critical zero-day vulnerabilities across every major OS and browser
- It's so dangerous they won't release it publicly
- They launched a $100M defensive consortium (called "Glasswing") with Apple, Google, Microsoft, etc.

**What the author actually found in Anthropic's own 244-page document:**

1. **The "thousands" figure appears nowhere in the technical document.** It only shows up in the marketing blog and press releases — not in the actual system card that would need to survive peer review.

2. **The headline Firefox demo collapses on page 52.** The much-touted 72% exploit success rate drops to 4.4% when the top two bugs are removed. Anthropic's own document admits almost all wins came from the same two already-patched bugs. Worse, the predecessor model (Claude Sonnet 4.6) showed essentially equivalent triage ability.

3. **The bugs weren't even found by Mythos.** They were pre-discovered by an earlier Anthropic model and handed to Mythos as test material. Mozilla had already patched them.

4. **Independent researchers (AISLE) reproduced the showcase bugs using a 3.6 billion parameter open-weights model costing $0.11 per million tokens** — versus Mythos at $25/million. 8 out of 8 models tested found the same vulnerabilities.

5. **The $100M consortium is mostly fake money.** Only $4M is real cash. The other $96M is free API credits to use the product being evaluated — Anthropic paying partners to validate Anthropic.

6. **Mythos failed against properly defended targets.** The system card quietly admits the model couldn't compromise a properly patched sandbox, and failed against OT (operational technology) environments. It only won against networks with no active defenses.

7. **No standard security documentation exists:** no CVE list, no CVSS scores, no independent reproduction, no comparison to existing tools like fuzzers (AFL, OSS-Fuzz), no vendor confirmation of novel findings.

**The bigger concern the author raises:** Anthropic has, without any democratic oversight, set itself up as a private gatekeeper deciding which security capabilities are "too dangerous" — granting access only to the largest incumbents who benefit from being inside that exclusive club. He calls this regulatory capture dressed as safety.

**Practical takeaway for IT/security teams:** Don't change your budget or threat model based on this. Your patching cadence, EDR coverage, MFA enforcement, and asset inventory still determine your actual risk posture — not this announcement.

---

The author's core charge: the gap between the marketing claims and what the technical document actually says is so wide that it constitutes a significant breach of trust, following a well-worn pattern of tech FUD used to create market advantage.

#Anthropic #AI #Claude_Mythos_Preview
#Claude_Mythos #Claude_Sonnet #IT_security