On the heels of Anthropic’s announcement of Project Glasswing, the “find and fix” approach to bugs and vulnerabilities will have to be re-thought.
Project Glasswing is a multi-vendor initiative to tighten cybersecurity, and it came together after seeing how frontier AI models can find and exploit vulnerabilities faster than they can be found and remediated by all people except the most skilled, according to the announcement. Anthropic’s Claude Mythos Preview revealed that fact, and has already found major vulnerabilities in every major operating system and web browser, the company said. Vulnerability remediation speed is falling behind.
“Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely,” Anthropic wrote in its blog. “The fallout—for economies, public safety, and national security—could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.”
Jeff Williams, founder of OWASP and co-founder and CTO of Contrast Security, said, “Mythos makes the first domino clearer: once frontier AI can do large-scale bug hunting, the logic of paying humans for routine discovery starts to break down. This does not just threaten bug bounties. It threatens the whole idea that security can remain a find-and-fix afterthought. The era of the security backlog is coming to a welcome end.”
The preview is available to the launch partners to work on defensive strategies, who will share their knowledge with the industry. The partners include Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
Williams believes the future belongs to software factories that can reliably produce secure code and the assurance case to prove it. This is important, because he thinks it is “highly questionable that Anthropic will be able to limit the malicious uses of this model. Anthropic once again released impressive results, but many of the details are still self-reported and only partially externally verifiable.”
Snehal Antani, CEO of pen-testing company Horizon3, is seeing this play out in the real world. Horizon3 has conducted 225,000+ fully autonomous pen-tests, consistently surfacing vulnerabilities most organizations don’t even know exist. “CISOs must focus on what’s truly exploitable, high impact and actively used by attackers, — not just what’s highest volume,” Antani said. “As AI accelerates vulnerablity and KEV exploitation timelines shrink, organizations are struggling to find, fix and verify issues fast enough.”
Antani said the real trouble is patching at scale. “With most KEVs still unpatched weeks after disclosure, the industry must improve mitigations, compensating controls, and detection to close the growing exposure window.”
Donating to the Apache Software Foundation
Anthropic said it is making a $1.5 million contribution to help ASF’s work to ensure resilience and integrity of AI systems.
“AI is accelerating rapidly, but it’s built on decades of open source infrastructure that must remain stable, secure, and independent,” said Vitaly Gudanets, Chief Information Security Officer, Anthropic. “Supporting the Apache Software Foundation is a direct investment in the resilience and integrity of the systems that modern AI — and the broader software ecosystem — depend on.”
The ASF ’s projects help the open-source community thrive, without the need to buy and use proprietary vendor software.
“Open source software is the foundation of modern digital life — largely in ways the average person is completely unaware of — and ASF projects are a critical part of that. When it works, nobody notices, and that’s exactly the goal,” said Ruth Suehle, president of the foundation. “But that kind of reliability isn’t a given. It is the result of sustained investment in neutral, community-governed infrastructure by each part of the ecosystem. Support like Anthropic’s helps ensure long-term strength, independence, and security of the systems that keep the world running.”
Anthropic’s donation will help fund the ASF’s ongoing investment in infrastructure, including build systems, security processes, project services, and community support — ensuring that Apache projects can continue to serve as a backbone of the global software ecosystem, the foundation wrote in its announcement.
Learn more about how you can support the ASF at https://apache.org/