this post was submitted on 14 May 2026
174 points (96.3% liked)

Technology

85249 readers
4489 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
174
Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator (www.theregister.com)
submitted 3 weeks ago by tonytins@pawb.social to c/technology@lemmy.world
8 comments fedilink hide all child comments
 

cURL developer Daniel Stenberg has seen Anthropic’s Mythos, a model the AI biz has suggested is too capable at finding security holes to release publicly, scan his popular open source project. But after the system turned up just a single vulnerability, he concluded the hype around Mythos was “primarily marketing” rather than a major AI security breakthrough.

Stenberg explained in a Monday blog post that he was promised access to Anthropic’s Mythos model - sort of - through the AI biz’s Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl’s codebase and later sent him a report.

“It’s not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway,” Stenberg explained. “Getting the tool to generate a first proper scan and analysis would be great, whoever did it.”

top 8 comments
sorted by: hot top controversial new old
[–] trailee@sh.itjust.works 49 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

Not to discount the usefulness or complexity of curl in any way, but it’s not one of the larger codebases out there. It’s also pretty darned good. Firefox seems to have a very positive experience with Mythos, but they also had their own internal test harnesses from prior work, ready to utilize LLM analysis at scale. It was far more intensive than having a third party run something on their behalf and produce a report.

[–] Nomad@infosec.pub 13 points 3 weeks ago (1 children)

As far as i understand it, its not all hype. Its a little bit like having a really competent security researcher go deep through your complete codebase just really fast and with improved recall.

So no black magic, just stuff regular security reviews would find. Firefox is just a huge codebase and once a bug got past review it might stay there forever.

So this will be abused if released publicly sooner or later. This way is a little bit like responsible disclosure. This will make the initial wave hurt way less. And obviously it doesn't hurt marketing.

Anybody working with software knows marketing people promise the world and understand nothing. Pretty sure they just heard "black magic" and ran with it.

[–] MalReynolds@slrpnk.net 11 points 3 weeks ago* (last edited 3 weeks ago)

Its a little bit like having a really competent security researcher go deep through your complete codebase just really fast and with improved recall.

I doubt that, more of a force multiplier for security researchers at this stage (perhaps always for LLMs without an architecture leap) IMO. Otherwise I generally agree. It's responsible to take this approach perhaps, but mostly marketing. Still let's not kid ourselves it isn't happening at scale already. Plenty of open weights models can also force multiply a competent security researcher, either black or white hat. Mythos isn't a quantum leap or anything, just 4.7.

Anybody working with software knows marketing people promise the world and understand nothing. Pretty sure they just heard “black magic” and ran with it.

Heh, yup.

[–] Kissaki@feddit.org 21 points 3 weeks ago* (last edited 3 weeks ago)

Or maybe they didn't. Check this cross-post comment thread.

I replied there, sourcing the original blog post.

What they said: “Maybe slightly better, not significantly better than existing tools, at least in the context of this single project”. What The Register makes of that: “greatest marketing stunt ever”. They did reference marketing in one sentence, but it was nowhere near as extreme.

[–] Photonic@lemmy.world 4 points 3 weeks ago* (last edited 3 weeks ago)

So… can we say: “Myth busted” ? Busted

[–] partofthevoice@lemmy.zip 1 points 3 weeks ago* (last edited 3 weeks ago)

Really though… how hard might it be to specialize a model in the process of systems analysis, auditing, documentation, testing, … and also ensure it is biased toward exploitative behaviors? I imagine training a model on all the CVEs, and other such texts, along with systems documentation and some kind of training for tool use (cli and cli tools) and tuning by making the model actually reproduce each CVE result within a virtual environment. Then see what happens when you put it in the ring with modern software.

I might be playing devils advocate. I really don’t believe Anthropic has anything special. Anthropic did get me thinking though, and should this really be so difficult? It seems possibly plausible, to me at least, if you really wanted to do this. It would make a shit general use LLM, though.