Last week, the AI company Anthropic drew widespread attention by announcing that its latest model, Mythos, performed well in identifying security vulnerabilities, which could potentially cause chaos. To prevent such chaos, Anthropic launched a project called Project Glasswing, allowing more than 50 industry partners to test this advanced model, so that they can identify and fix security vulnerabilities in their own products before cyber attackers exploit them.
Although the participants of Project Glasswing have not been fully disclosed, it has been confirmed that companies such as Amazon Web Services, Apple, Google, and Microsoft are among them. The purpose of this initiative is to find and resolve vulnerabilities in products by collaborating with selected companies using Mythos.
According to an analysis by Patrick Garrity, a researcher at VulnCheck, there is currently no concrete data on the number of vulnerabilities discovered through Project Glasswing. He searched the CVE database for records containing the keyword "Anthropic." Although he found 75 records related to Anthropic, 35 of them were about vulnerabilities in Anthropic's own tools or third-party integrations, and could not be classified as vulnerabilities discovered by Glasswing.
The remaining 40 vulnerability records may be related to Glasswing, but their origin is still uncertain. According to Garrity's analysis, these 40 vulnerabilities originated from Anthropic's core research team, individual researcher Nicholas Carlini, and independent security research company Calif.io.
Looking at the distribution of the vulnerabilities, 28 of them were related to Mozilla's Firefox browser, 9 existed in the wolfSSL embedded SSL/TLS library, one involved F5's NGINX Plus application delivery platform, and one each was found in FreeBSD and OpenSSL.
So far, the only CVE that can be clearly associated with Glasswing directly is CVE-2026-4747, a remote code execution vulnerability that allows attackers to gain root access on machines running NFS on FreeBSD. Although Anthropic mentioned other vulnerabilities, these have not yet been assigned CVE numbers.
Garrity said that the public still needs to wait for full disclosure about Project Glasswing. Anthropic is expected to release a summary report on the vulnerabilities discovered in July 2026, and it is recommended that the company establish a dedicated security advisory page to transparently disclose vulnerabilities discovered by its research team and Project Glasswing.
Key points:
🛡️ Anthropic launched Project Glasswing, allowing over 50 companies to use its model Mythos for vulnerability testing.
🔍 The exact number of vulnerabilities discovered by Project Glasswing remains undetermined, with only 40 possibly related to the project.
📅 Anthropic is expected to release a public summary report on the vulnerabilities discovered by July 2026.
