daniel:// stenberg://May 11

#Mythos finds a #curl vulnerability

yes, as in singular one.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Mythos finds a curl vulnerability

yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not release this model to the public yet but instead … Continue reading Mythos finds a curl vulnerability →

daniel.haxx.se
Show threaddaniel:// stenberg://May 11
My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing.
Show threadOOTSMay 11

@bagder
In terms of evidence to the contrary:
Check out
https://social.security.plumbing/@freddy/116549451049357174 / the blog post:
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

>270 vulnerabilities found by Mythos fixed in a single Firefox release.

That's just one data point, but interestingly far off from yours.

Frederik Braun � (@[email protected])

Where do the people hang that read our hacks blog post and then went through all of the bugs that we opened up? Really eager for the deeper, informed takes now :) https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

security.plumbing
Show threadRobin
@oots @bagder Firefox is a wildly more complex piece of software though (I assume), and they also fixed a lot of bugs found by other models in addition to those from Mythos. They don't really go into how much of the volume of bugs is due to Mythos itself, or just their experience and building a harness around the models by the time they had access to Mythos
May 11 at 11:30amWeb
Show threadrugkMay 11
@das_robin @oots @bagder maybe @firefoxnightly can comment on that
Show threadZ̈oéMay 11
@das_robin @oots @bagder there was this blog post dismissing lots of the myth https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/
The Boy That Cried Mythos: Verification is Collapsing Trust in Anthropic | flyingpenguin

Show threadOOTS4d ago

@das_robin @bagder
Yes, #Firefox is probably a few orders of magnitude more complex than #curl and definitely much bigger.

Still, the blog post explicitly mentions "In addition to fixing the 271 bugs identified by Claude Mythos Preview in the 150 release, we’ve shipped more of these fixes in 149.0.2, 150.0.1, and 150.0.2.", so >270 attributed to #Mythos *alone*.