daniel:// stenberg://4d ago

#Mythos finds a #curl vulnerability

yes, as in singular one.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Mythos finds a curl vulnerability

yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not release this model to the public yet but instead … Continue reading Mythos finds a curl vulnerability β†’

daniel.haxx.se
Show threaddaniel:// stenberg://4d ago
My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing.
Show threadgnirre4d ago
@bagder How do you explain that Mythos found 271 bugs in Firefox, and counting, and only 1 in cURL. Is the Firefox code base 271 times larger?
Show thread4censord 

@gnirre @bagder with the most glancing of looks, looking at the 150 version of firefox (and some rounding),
curl: 200k lines of c
firefox:

  • 5M lines of rust
  • 9M lines of C and C++
  • 200k lines of assembly
  • 2M lines of python

so like, without looking at anything else, firefox is significantly bigger

May 11 at 11:41amWeb
Show threadNatanox πŸ‡ΊπŸ‡¦πŸ‡΅πŸ‡Έ4d ago

@4censord @gnirre @bagder Also, didn't they intentionally disable all mitigations, sandboxing etc. in Firefox *and* include every teeny tiny bug it found (without mentioning the false-positives, which were probably a metric shit ton) to bolster those numbers?

There were lots of shenanigans afaik.