I don't think anybody actually watches videos any more, so here's MWT's core point -
The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.
So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.
The proof is going to be if any of the open source vulns turn out to be important. So far:
Anthropic set the project across open source projects and provided access and reported the vulns. Typically, you'd expect to see NCSCs spinning up advisories to patch high impact vulns, CISA telling orgs to patch etc etc etc.
What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.
It's not though, is it?
In my observation, organizations use these PR announcements & media releases to do layoffs, so they can outsource to a nephew's startup or grandchild's consultancy.
And the necessary patches or policy changes never get implemented.
Kevin Beaumont
Marius Kießling
Nicole Parsons