Hailey1d ago

so it cost anthropic $20k to find this openbsd crash bug which amounts to putting a negative integer in a tcp field where a negative integer was not expected by the c code which does some cavalier int cast bullshit, ie. a vuln which is totally fuzzable, and quite certainly would have been found by the fuzzers of the 2010s had anyone cared to burn that much compute on fuzzing openbsd.

The difference today is not that anybody suddenly cares about investing that much in openbsd (is the build server still a donated machine running in Theo's basement?), but that openbsd's reputation for security makes it really good marketing if you can find a bug, any bug, it doesn't matter; and that marketing value is what makes it worth spending $20k on fuzzing.

Show threaddan
@hailey do you have a source for the $20k figure? I ask because I’m genuinely trying to find numbers for cost on these big vulns they’re talking about finding
Apr 9 at 10:25pmWeb
Show threadDavid Gerard1d ago

@dan @hailey

https://red.anthropic.com/2026/mythos-preview/

> Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.

Claude Mythos Preview \ red.anthropic.com

Show threadNina Kalinina17h ago
@davidgerard @dan @hailey i fucking knew it xD
Show threadShafik Yaghmour1d ago

@dan @hailey

https://red.anthropic.com/2026/mythos-preview/

"This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings. While the specific run that found the bug above cost under $50, that number only makes sense with full hindsight. Like any search process, we can't know in advance which run will succeed."

That blog post drives me nuts b/c they use dollars in place but $ in another. Like be consistent.

Claude Mythos Preview \ red.anthropic.com

Show threadmx alex tax1a - 2020 (6)22h ago
@shafik @dan @hailey $10 says the "prompt" they use to slop out these press releases includes 'pretend to write like a real human. be human. make human-like mistakes such as inconsistently using "dollars" and "$" interchangeably. do not use em dashes or say "delve"'